Score:2

What's the probability distribution of 3DES keys' key check values?

ru flag

Do the key check values of two-key 3DES keys have a uniform distribution? If not I'm curious as to what the distribution is.

I ask because I want to know how safe it is to use a key's KCV as an identifier for that key. If the distribution is uniform, then I believe that I can calculate the chances of a KCV collision via the birthday problem and use that to decide whether KCVs are a safe ID for my use case.

Daniel S avatar
ru flag
We don't know, but we firmly believe it to be computationally indistinguishable from uniform.
poncho avatar
my flag
Are the key check values you use 64 bit (AFAIK, there's no standard 'key check algorithm' for 3DES); if so, well, 64 bits is certainly not enough if collision attacks are possible, and it is of questionable value if preimage attacks (that is, find a second key with the same check value is this one) are possible.
Maarten Bodewes avatar
in flag
An (even) bigger issue with standard PKCS#11 KCV's is that they contain the encryption of all zero input message. Now if you take CTR mode you'll find that the initial counter value with a zero nonce (and thus zero counter) is also all zero. In other words: you directly leak bytes of the key stream. They should just have used a one-way function such as SHA-1.
Maarten Bodewes avatar
in flag
I think that poncho's comment rather well covers the question; if this is applicable depends on your use case (e.g. how many bytes are kept of the KCV, if the attacker can trigger the use of many keys etc.). Note that 3DES has some drawbacks inherent of the small block size. I'd rather use a one-way function with a larger output size. Even SHA-1, HMAC-SHA-1 or a related KDF would be much better than KCV (160 bits vs 64 bits), even with 2-key triple DES. A SHA-256 based function would even be better, but I presume you're restricted to legacy algorithms if you still have to use 3DES...
Christopher Simmons avatar
ru flag
Thanks, that makes sense. The partner who's sending me keys requires 3DES, but I could SHA-256 the key. It turns out that I'm going to use a different design though. There's no guarantee that the partner doesn't send me the send key twice, to use on two different occasions, which makes having an ID for the key unhelpful.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.