Des and 3DES PRF: 16 or 8 bytes

Don Davis dodavis at
Fri May 1 11:13:12 EDT 2009

>     Don> i think an 8 byte hash is sufficiently limited nowadays
>     Don> to justify using 16 byte as the prf output size.
> You and everyone else comes to this conclusion when they examine the
> problem for about 30 seconds. ...
> If you are seeing an attack, I'd appreciate a more detailed response
> describing the attack and its assumptions.
hi, sam --

i think the very fact that 8bytes simply & universally _seems_ inadequate,
is sufficient justification. it's like the argument against using MD5, 
10 years
ago -- we knew, and some customers knew, that MD5 would eventually
get cracked wide-open, so it was easier to deprecate MD5 in advance,
than to detailedly analyze the plusses & minusses of continuing to use
MD5 for a few more years. just for example, i doubt that krb's support
of a 64bit 3DES hash would be acceptable for NIST's FIPS 140-2
certification of kerberos.

after all, no-one in the hash-function field recommends any hash-fcn with
such a short output as 64 bits. i can't justify the work necessary to 
support using a 64-bit hash. at the same time, it also seems plain that 
3DES as a 128-bit hash fcn isn't such a bad idea, except for performance.
why overwork the question?

- don davis

More information about the krbdev mailing list