Des and 3DES PRF: 16 or 8 bytes
jhutz at cmu.edu
Fri May 1 11:51:14 EDT 2009
--On Thursday, April 30, 2009 04:25:09 PM -0400 Sam Hartman
<hartmans-ietf at mit.edu> wrote:
> Folks, it was not clear in the discussion at IETf 74 whether we wanted
> to have the RFC 3961 PRF for 3DES change to be an 8-byte output or
> not. Currently if you assume that the text says to truncate to the
> nearest multiple of m, then the 3DES PRF should be 16 bytes.
Hrm. This goes directly back to the discussion of whether we want to
truncate to the nearest multiple of the cipher block size, or to the block
size itself. I believe we've rather thoroughly had the discussion of the
relative security merits of the two approaches, but we were rather focused
Now you are bringing up an interoperability issue relating to 3DES, which
happens to be the only _other_ standardized simplified-profile CBC-mode
enctype for which "truncate the output of H to the nearest multiple of m"
does not mean the same thing as "truncate the output of H to c". Of
course, AFAIK it is also the only other standardized simplified-profile
CBC-mode enctype, period.
I believe we have already come to the conclusion that "truncate to the
nearest multiple of m" is the only reasonable interpretation of what 3961
says, and so changing AES will involve updating 3961 and/or 3962. Provided
that we are satisfied that the 3961 behavior for 3DES is acceptable, or
that the interop considerations are more important, I see no reason we
cannot treat 3DES specially at that time, retaining the existing.
Of course, I don't think I've seen any discussion yet from the working
group on the question Sam raised...
More information about the krbdev