What's the probability distribution of 3DES keys' key check values?

We don't know, but we firmly believe it to be computationally indistinguishable from uniform.

Are the key check values you use 64 bit (AFAIK, there's no standard 'key check algorithm' for 3DES); if so, well, 64 bits is certainly not enough if collision attacks are possible, and it is of questionable value if preimage attacks (that is, find a second key with the same check value is this one) are possible.

An (even) bigger issue with standard PKCS#11 KCV's is that they contain the encryption of all zero input message. Now if you take CTR mode you'll find that the initial counter value with a zero nonce (and thus zero counter) is also all zero. In other words: you directly leak bytes of the key stream. They should just have used a one-way function such as SHA-1.

I think that poncho's comment rather well covers the question; if this is applicable depends on your use case (e.g. how many bytes are kept of the KCV, if the attacker can trigger the use of many keys etc.). Note that 3DES has some drawbacks inherent of the small block size. I'd rather use a one-way function with a larger output size. Even SHA-1, HMAC-SHA-1 or a related KDF would be much better than KCV (160 bits vs 64 bits), even with 2-key triple DES. A SHA-256 based function would even be better, but I presume you're restricted to legacy algorithms if you still have to use 3DES...

Thanks, that makes sense. The partner who's sending me keys requires 3DES, but I could SHA-256 the key. It turns out that I'm going to use a different design though. There's no guarantee that the partner doesn't send me the send key twice, to use on two different occasions, which makes having an ID for the key unhelpful.

I sit in a Tesla and translated this thread with Ai: