3DES decryption bug in 0.4.0

Michael Roth mroth at nessie.de
Sat Sep 19 05:15:10 CEST 1998


shame on me... It's about half past three in the morning and I went to bed
and than it came to my mind: I made a mistake in the key schedule on 3DES.
I switched on the computer, checked the code, and *bang*, their is really
a bug in Triple-DES decryption.... :-((

Why was this typo not detected by the integrated selftest? The answer is
simple: I wrote my own testcase for my own code. This is generally a bad
idea and as a result of this, the selftest simple doesn't run a test on
the affected subject...

For the first time I appended a hot 'mini-patch' wich fixes the bug to
this mail.  I don't think Werner should release a new version to include
this patch.  
I will made a larger patch with some more speed improvements on 3DES 

To apply the patch change to directory 'gnupg-0.4.0/cipher' and type in
the command 'patch < PATH_TO_FILE/des-decrypt-bug.patch' and recompile

Please note: The bug apply only to Triple-DES decryption. Encryption is
not affected. Their is no problem with security in manner of unsecure
encryption or leaking session keys or private keys related to this bug.
The 'only' problem is that you can't decrypt message wich used Triple-DES
as symmetric encryption algorithm. Just apply the patch and then you can
decrypt your previous encrypted data.

Ok. Now I will go to bed and hopefully I will not discover more bugs...

		Michael Roth

-------------- next part --------------
--- des.c.orig	Sat Sep 19 03:36:03 1998
+++ des.c	Sat Sep 19 03:36:30 1998
@@ -602,13 +602,13 @@
     return -1;
   des_key_schedule (key1, ctx->encrypt_subkeys, 0);
-  des_key_schedule (key1, ctx->decrypt_subkeys, 1);
+  des_key_schedule (key3, ctx->decrypt_subkeys, 1);
   des_key_schedule (key2, &(ctx->encrypt_subkeys[32]), 1);
   des_key_schedule (key2, &(ctx->decrypt_subkeys[32]), 0);
   des_key_schedule (key3, &(ctx->encrypt_subkeys[64]), 0);
-  des_key_schedule (key3, &(ctx->decrypt_subkeys[64]), 1);
+  des_key_schedule (key1, &(ctx->decrypt_subkeys[64]), 1);
   return 0;

More information about the Gnupg-devel mailing list