Details on CDMF

Bob Baldwin (baldwin@rsa.com)
Fri, 24 Jul 1998 14:08:11 -0700

• Next message: Vin McLellan: "Re: RC5/6 Patents - Clarifications"
• Previous message: EKR: "Re: DES & IBM's patents"

        Let me expand on Eric's description of CDMF.
Both RSADSI and Terisa have implemented it and amazingly
enough we interoperated on the first try.
        I will use Eric's notation:
  CDMF(K,MSG)=DES(F(K),MSG)
Note that "CDMF" and "DES" can be converted to all the
usual modes, such as:
  CDMF-CBC-Pad-Encrypt(K,MSG) = DES-CBC-Pad-Encrypt(F(K),MSG)

The function F(K) = Kf is defined by:
- Return error if K is not a parity adjusted DES key.
- Zero parity by computing Ka = K and 0xfefefefefefefefe
- Compute Kb = DES-ECB-Encrypt(FixedKeyOne, Ka),
   where FixedKeyOne = 0xc408b0540ba1e0ae
- Compute Kc = Kb xor Ka
- Zero all but 40 bits by computing
   Kd = Kc and 0x0efe0efe0efe0efe
- Compute Ke = DES-ECB-Encrypt (FixedKeyTwo, Kd),
   where FixedKeyTwo = 0xef2c041ce6382fe6
- Parity adjusted Ke to create Kf.

        The CDMF patent covers variations on this design.
For details, check out the claims in:
http://www.patents.ibm.com/details?patent_number=5323464

        Additional information on CDMF is provided in the
following paper: "Design of the Commercial Data Masking
Facility Data Privacy Algorithm", D. Johnson, S. Matyas,
A. Le, J. Wilkins; Proceedings of the First ACM Conference
on Communications and Computer Security; ACM Press,
Fairfax, VA; 1993.

                --Bob Baldwin

> -----Original Message-----
> From: EKR [SMTP:ekr@terisa.com]
> Sent: Friday, July 24, 1998 12:53 PM
> To: John Kelsey
> Cc: Adam Shostack; Rich Salz; Bob Baldwin; CodherPlunks@toad.com;
> schneier@counterpane.com
> Subject: Re: DES & IBM's patents
>
> "John Kelsey" <kelsey@plnet.net> writes:
> > Actually, I believe CDMF is just a specific way to choose a DES key,
> > which has 40 bits of strength but doesn't have some subset of its
> > bits always set to zero. I don't believe CDMF does anything weird to
> > the DES key schedule internals.
> CDMF is basically a key pre-processor. It provides a function that takes
> as input a DES key and outputs another DES key with 40 bits of
> entropy. That key is then used for DES.
>
> I.e.
> CDMF(K,MSG)=DES(F(K),MSG)
>
> -Ekr
>
> --
> [Eric Rescorla Terisa Systems, Inc.]
> "Put it in the top slot."

• Next message: Vin McLellan: "Re: RC5/6 Patents - Clarifications"
• Previous message: EKR: "Re: DES & IBM's patents"