1

I need to port MACTripleDes functionality to another programming language and want to know what it really does. So I have data and a keypharse given.

Is it right, to just TripleDes the data with an IV=0 and the keyphrase, and then take the last 8 byte as the MAC ?

Ciao Ephraim

Ephraim
  • 767
  • 1
  • 8
  • 15
  • 4
    Don't. Don't try to implement cryptography yourself. Find an open-source implementation that is commonly used. – Rawling Sep 19 '14 at 11:11
  • 1
    What @Rawling said x100000 – spender Sep 19 '14 at 11:12
  • Yeah, I want to use openssl as backend ... but with Qt and QCA/QCA-SSL ... but MACTripleDES is just a combination of TripleDES and MAC which isn't included in QCA/QCA-SSL ... cause it is no real crypto ... thats why I wanted to know what is going on inside. – Ephraim Sep 19 '14 at 11:51

2 Answers2

2

DO NOT WRITE YOUR OWN CRYPTOGRAPHIC FUNCTIONS! Not even a direct port of an existing function.

If your language has any maturity, it will have an open source implementation that you can use. If it does not, DO NOT PORT ONE! Find one in another language and write a wrapper for it that you can call (like the C# implementation that you want to port).

Any existing open source implementation will be tested and verified for correctness by people who know far more about cryptography than me, you and over 99% of the global developer population.

If you really cannot find an open source implementation, write a simple .exe using C# that calls the C# implementation and returns the result. Not including setup and boilerplate, that's basically one line of code.

Again, if you write your own implementation, you will inevitably fail to account for some edge case or not understand the algorithm enough, resulting in a dangerous piece of code with exploitable flaws. Unless you are one of the original developers of 3DES or have many years of experience developing currently used encryption standards, you simply do not have the technical skill to port an implementation.

Again, if you write your own implementation, something goes wrong and your data gets leaked, you can and will be held personally accountable. Linkedin was recently sued for $ 5 million because they didn't implement proper security. This is something that can break your career.

DO NOT MAKE THE SAME MISTAKE AS LINKEDIN!

Nzall
  • 3,439
  • 5
  • 29
  • 59
  • @Ephraim Because someone with far more experience than you in cryptographic development has written a function from scratch according to the 3DES specs. However, that's besides the point. What IS important is that the open source implementation will have had FAR more external input and verification for correct implementation than your homebrew function. Even if you managed to write a function that goes perfectly to spec, you're the only one who has seen the function. I'd rather trust something open source which many people have seen than a one man job. – Nzall Sep 19 '14 at 11:54
  • In addition, if they ever find a flaw in the open-source implementation, the developers will be informed and they will fix it and warn everyone of the update, releasing a patch. However, if your personal implementation has the same flaw as the software you ported, and you're the only one who knows it even exists, noone will inform you of that flaw and attackers can exploit that flaw. This is especially dangerous if you don't know that the software you ported had a flaw. – Nzall Sep 19 '14 at 11:56
  • While it's certainly reasonable to advise caution (especially if the OP is contemplating reimplementing the DES core itself), this doesn't seem to actually answer the question asked. I've tried to provide an actual answer to the question, while still emphasizing that the OP really should be using a proper, carefully reviewed crypto library whenever possible. – Ilmari Karonen Jan 07 '16 at 17:46
  • @IlmariKaronen Some times if someone asks you [if you should hammer a nail in with a old shoe or a glass bottle you need to tell them to stop trying and go buy a hammer](http://weblogs.asp.net/alex_papadimoulis/408925). – Scott Chamberlain Jan 07 '16 at 17:51
  • 1
    @ScottChamberlain: To play on Alex's metaphor, the OP is asking how hammers are made. While it's perfectly reasonable to advise them not to use a homemade hammer unless they can be sure that the head won't come off, the question itself is also reasonable, and deserves a proper answer. – Ilmari Karonen Jan 07 '16 at 17:59
  • @IlmariKaronen fair enough. – Scott Chamberlain Jan 07 '16 at 18:04
0

Apparently, the MACTripleDES class implements CBC-MAC using Triple DES as the underlying block cipher. If you have access to a crypto library that implements CBC-MAC and Triple DES (and lets you use the latter as the block cipher in the former, as any generic CBC-MAC implementation should), you should be able to combine them to obtain an equivalent MAC.

Alternatively, if your crypto library does not directly implement CBC-MAC, but does implement CBC mode encryption, you can indeed implement CBC-MAC yourself by encrypting the message in CBC mode, using an all-zero IV, and taking the last block of the resulting ciphertext as the MAC value. (This is simply the definition of CBC-MAC.) It is also not particularly difficult or tricky to implement CBC mode (or CBC-MAC) yourself, using just the raw block cipher. But really, any decent crypto library should already provide CBC-MAC, or at least CBC mode encryption, built in.

What you should not try is implementing Triple DES, or any other block cipher, yourself! It's very hard to implement low-level crypto algorithms like Triple DES securely, since you have to pay attention to things like side-channel attacks, and any such implementation should be thoroughly tested and scrutinized by professional cryptographers before being used for anything serious.

(One specific exception here is that, if you only have access to the plain DES block cipher, you may reasonably safely implement Triple DES on top of that. This is because Triple DES is not actually a separate low-level cipher, but simply a method of expanding the keyspace of DES, at the expense of performance, by encrypting each block several times with independent keys. But again, any decent crypto library written in the last 20 years should support Triple DES if it supports DES at all.)

Of course, even when only implementing high-level crypto algorithms like CBC-MAC, it's still possible to make mistakes, and such mistakes can have security consequences. But at this level, the difficulty and the risk are not significantly greater than those inherent in simply using crypto (and therefore, by implication, working with security-critical data like encryption keys) in the first place. Even so, it's always a good idea to have someone (or, preferably, several someones) with crypto experience review your code before it's deployed. This holds even if you're a crypto expert yourself; anybody can make mistakes, and the more eyeballs you can get on your code, the more likely it is that any mistakes are found before someone exploits them.

Finally, note that, if you don't specifically need compatibility with Microsoft's MACTripleDES class, there are better choices for MAC algorithms than CBC-MAC (such as CMAC), and better choices for ciphers than Triple DES (such as AES). The specific combination of AES and CMAC is even standardized in RFC 4493, which provides detailed implementation instructions and test vectors to verify correctness.

In particular, plain CBC-MAC is not secure for variable-length messages, if the message length is not authenticated. While there are ways to fix this vulnerability, e.g. by prepending the length to the message before computing the MAC, it's generally preferable to use an algorithm that is secure "out of the box", like CMAC.

(Also, since you mention a "keyphrase" in your question, I hope you're actually feeding it through a proper key derivation function before using it as a key for Triple DES (or any other block cipher). In particular, if the keyphrase is user-supplied, and thus likely to have low entropy, you really should be using a key-stretching KDF like PBKDF2, scrypt or Argon2.)

Community
  • 1
  • 1
Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153