We have to comply with third-party security requirements for the loading of 3DES keys. I'm a little confused about the reason behind why Key Check Values (KCVs) can't be full length. As KCV are hashes, I'm wondering what the security implication and risks are?
Asked
Active
Viewed 314 times
1 Answers
4
The usual (or at least traditional) blockcipher KCV is not a hash but rather the truncated encryption of zero; see How to obtain KCV from the key and KCV and compatibility with block cipher modes of operation
If 3DES (TDEA) key components K1,K2,K3 (i.e. single-length) (or their shares) are checked separately, a full-length (64-bit) check value on a 56-bit key component is practical to bruteforce, with small chance of ambiguity. Similarly for AES-128 where block size equals key size, if 2^128 bruteforce were practical you would be unlikely to get more than a very few candidate keys, which in most situations is a break. For a double-length or triple-length 3DES key, the key is longer than a (full) data block, by 48 or 104 bits; the former is probably safe and the latter definitely so.
dave_thompson_085
- 6,523
- 1
- 22
- 25