Re: Des and 3DES PRF: 16 or 8 bytes

--On Thursday, April 30, 2009 04:25:09 PM -0400 Sam Hartman 
<hartmans-ietf <at> mit.edu> wrote:

>
>
> Folks, it was not clear in the discussion at IETf 74 whether we wanted
> to have the RFC 3961 PRF for 3DES change to be an 8-byte output or
> not.  Currently if you assume that the text says to truncate to the
> nearest multiple of m, then the 3DES PRF should be 16 bytes.

Hrm.  This goes directly back to the discussion of whether we want to 
truncate to the nearest multiple of the cipher block size, or to the block 
size itself.  I believe we've rather thoroughly had the discussion of the 
relative security merits of the two approaches, but we were rather focused 
on AES.

Now you are bringing up an interoperability issue relating to 3DES, which 
happens to be the only _other_ standardized simplified-profile CBC-mode 
enctype for which "truncate the output of H to the nearest multiple of m" 
does not mean the same thing as "truncate the output of H to c".  Of 
course, AFAIK it is also the only other standardized simplified-profile 
CBC-mode enctype, period.

I believe we have already come to the conclusion that "truncate to the 
nearest multiple of m" is the only reasonable interpretation of what 3961 
says, and so changing AES will involve updating 3961 and/or 3962.  Provided 
that we are satisfied that the 3961 behavior for 3DES is acceptable, or 
that the interop considerations are more important, I see no reason we 
cannot treat 3DES specially at that time, retaining the existing. 
truncate-to-128-bits behavior.