Triple DES Cipher Object

Operations Supported

Encrypt, Decrypt, Multi-Part MAC, and Multi-Part Verify.

Key encoding

Every byte contains 7 key bits, and 1 parity bit. The parity bit is the least significant bit in each byte. There is no additional encoding of the key data. The key must be 16 or 24 bytes.

Encrypt/Decrypt Modes

The least significant nibble (four bits) determines the operational mode. Possible values:

>SYM_MODE_ECB (0)

Electronic Code Book (ECB) mode. It may be combined with a padding mode (see below).

>SYM_MODE_CBC (1)

Cipher Block Chaining (CBC) mode. It may be combined with a padding mode (see below).

>SYM_MODE_CFB (2)

Cipher Feedback (64-bit) mode

>SYM_MODE_BCF (3)

Byte Cipher Feedback (8-bit CFB) mode

>SYM_MODE_OFB (4)

Output Feedback (64-bit) mode

>SYM_MODE_BOF (5)

Byte Output Feedback (8-bit OFB) mode

The most significant nibble determines the padding mode. Possible values:

>SYM_MODE_PADNONE (0x00)

No padding applied. Data must be a multiple of the block size (8 bytes).

>SYM_MODE_PADNULL (0x80)

0 to 7 bytes with value 0 is added to the data to extend it to be a multiple of block size.

>SYM_MODE_PADPKCS1 (0x90)

PKCS#1 padding is applied. This causes 1 to 8 bytes of padding to be added to the data.

MAC modes

For MAC generation and verification, available modes include:

>0: Standard triple DES CBC

>1: Standard triple DES CBC with configurable MAC length

>2: X9.19 triple DES CBC

>3: X9.19 triple DES CBC with configurable MAC length

>4: Retail CFB MAC.

In all methods, NULL padding is applied to the data.

Encrypt/Decrypt Parameters

In all modes except SYM_MODE_ECB, the parameter buffer must contain the IV (8 bytes). In SYM_MODE_ECB, there are no parameters.

MAC Parameters

When mode is either 1 or 3, parameter buffer contains at least 4 bytes, which is the little-endian encoding of an integer. The integer value must contain a value from 1 to 8, indicating the number of bytes of the final IV that will be used as the MAC. This is optionally followed by 8 bytes containing the IV. For mode 4 (Retail MAC CFB), the parameter buffer must have 8 bytes containing the encrypted IV. For the remaining two modes, the parameter buffer is either empty, or has 8 bytes containing the IV.


Customer Support Portal

SafeNet ProtectToolkit 5.9 Product Documentation  06 January 2020  Copyright 2009-2020 Thales. All rights reserved.