Disable Weak cipher check for DES KCV

Jussi Kivilinna jussi.kivilinna at iki.fi
Sun Jan 5 15:36:08 CET 2020 

Hello,

Apparently my first reply went only to the mailing list.

There I wrote: "I tried to find KCV specification where zero key is used to encrypt actual key as input block for KCV value, but all KCV algorithms I managed to find encrypt zero input block with the actual key as key. Can you check your documentation for KCV if zero key is really used and give pointer/link to that spec for us?"

-Jussi

On 4.1.2020 12.33, Jan Bilek wrote:
> Ping?
>  
> 
> On 2019-12-21 11:40:06+10:00 Jan Bilek wrote:
> 
>     Hi,
> 
>     We have a problem here where I need to encrypt a block of data with zeros.
> 
>     <>
>       gcry_check_version (NULL);
>       unsigned char key[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
>       unsigned char out[8];
>       unsigned char data[8];
>       gcry_error_t err = 0;
>       gcry_cipher_hd_t hd = nullptr;
>       err = gcry_cipher_open(&hd, GCRY_CIPHER_DES, GCRY_CIPHER_MODE_ECB, 0);
>       //auto blklen = gcry_cipher_get_algo_blklen(GCRY_CIPHER_DES);
>       //auto algolen = gcry_cipher_get_algo_keylen (GCRY_CIPHER_DES);
>       err = gcry_cipher_setkey (hd, key, sizeof(key));
>       std::cerr << "gpg_err_code: " << gpg_err_code(err) << std::endl;
>       std::cerr << "gpg_strerror: " << gpg_strerror(err) << std::endl;
>       gcry_cipher_encrypt(hd, out, sizeof(key), data, 8);
>       if (err) {
>         std::cerr << "Failed to perform cryptography" << std::endl;
>         std::cerr << "  cipher:     " << static_cast<int>(GCRY_CIPHER_DES) << std::endl;
>         std::cerr << "  mode:       " << static_cast<int>(GCRY_CIPHER_MODE_ECB) << std::endl;
>         //std::cerr << "  keyBlock:   " << BinToHex<std::string>(key) << std::endl;
>         //std::cerr << "  out:        " << BinToHex<std::string>(out) << std::endl;
>         //std::cerr << "  data:       " << BinToHex<std::string>(encryptedData) << std::endl;
>       }
>     </>
> 
>     This blows on:
> 
>     gpg_err_code: 43
>     gpg_strerror: Weak encryption key
>     cipher_encrypt: key not set
> 
>     Tracked back t in a source to libcrypt / cipher / des.c
> 
>     r. 1384 do_des_setkey
>     r. 1021 is_weak_key
> 
>       if (is_weak_key (key)) {
>         _gcry_burn_stack (64);
>         return GPG_ERR_WEAK_KEY;
>       }
> 
>     cipher.c
>     r.797 
> 
>      rc = c->spec->setkey (&c->context.c, key, keylen, c);
>       if (!rc) {
> 
>       } else
>         c->marks.key = 0;
>      
>     ... then disallows weak key setting completely, resulting in a failure.
> 
>     This has quite an impact on multiple (still) in-use KCV operations (e.g. KCV_METHOD_VISA) where key needs to be encrypted with a zero key to get its KCV.
> 
>     May I propose a patch? (See in attachment).
> 
>     Thanks & Cheers,
>     Jan
> 
> 
> _______________________________________________
> Gcrypt-devel mailing list
> Gcrypt-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
>

More information about the Gcrypt-devel mailing list