Des and 3DES PRF: 16 or 8 bytes

Don Davis dodavis at
Thu Apr 30 20:56:19 EDT 2009

hi, sam --

i think an 8 byte hash is sufficiently limited nowadays to justify
using 16 byte as the prf output size.

- don davis, redhat

Sam Hartman wrote:
> Folks, it was not clear in the discussion at IETf 74 whether we wanted
> to have the RFC 3961 PRF for 3DES change to be an 8-byte output or
> not.  Currently if you assume that the text says to truncate to the
> nearest multiple of m, then the 3DES PRF should be 16 bytes.
> As far as I can tell, no one is shipping DES or 3DES PRF, but I only
> checked Heimdal up through 1.2.
> My assumption for MIT is that we want to be consistent with RFC 3961
> except for AES.
> So, that would mean that 
> des: cbc-encrypt(md5(prf_input))
> 3des: cbc-encrypt(sha-1(prf_input) trunc to 128-bits) with
> dk(key,"prf")
> rc4: hmac-sha1(prf_input) with key
> aes: ecb-encrypt(sha-1(prf_input) trunc to 128-bits) with dk(key,
> "prf")
> Do people agree with that?  If MIT should do something different for
> DES or 3DES, now would be the right time to speak up.  We're fairly
> committed to our RC4 and AES implementations.
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list