[3DES]
Yeah, it wins. Dog-slow, but everybody's comfortable with it.
What about the 2-Key 3DES vs. 3-Key 3DES problem?
Just do what X9.52 does, always use 3 keys but allow the first key to be
repeated for the third key if you want 2-key triple DES.
(There's also the minor annoyance that 3-Key 3DES needs
168 bits of key, and SHA-1 only gives you 160,
and if the standard was going to insist on something that
required 168 real bits I'd recommend changing it...)
There are a number of algorithms for hashing/distilling passphrases, but many
of them are either awful and/or don't provide more bits than the output of the
hash function which is used (which is exactly the problem mentioned above).
The PKCS #5 method is very limited, the PFX method is awful, HMAC's are
limited to the hash function output size and also handle passphrases longer
than 64 bytes in a somewhat kludgy manner, I don't really like the SSLv3
version (it iterates over the same data and only changes a few input bits for
each block of output), and the TLS function again has a fixed output size
based on the underlying hash functions.
The one I've been using is the one I posted to sci.crypt about a year ago,
which is:
/* Derive an encryption key from a variable-length user key. This function
works as follows:
key[] = { 0 };
state = hash( algorithm, mode, parameters, userKey );
for count = 1 to iterations
for length = 1 to keyLength
state = hash( state );
key[ length ] = hash( state, userKey );
The state acts as an RNG which ensures that the user key hashing is
serialized (ie that any form of parallelization or precomputation isn't
possible) */
This can produce output of arbitrary size (eg 448 bit Blowfish keys), and also
addresses various other problems I've seen in existing functions, for example
if you start with the same parameters and use the resulting hash to key (say)
DES and IDEA, then anyone who can recover a DES key can also recover 56 bits
of your IDEA key. By including the algorithm and parameters into the initial
state calculation, a DES key derived from a given set of parameters will be
completely different to an IDEA key coming from the same parameters.
Peter.