Enforce 192-bit key length for TripleDES #13928
Conversation
TripleDES now emits a deprecation warning when 8-byte (single DES) or 16-byte (two-key) keys are passed. In a future release, only 24-byte (192-bit) keys will be accepted. Users needing single DES or two-key Triple DES compatibility should expand the key themselves: - Single DES (8 bytes): key + key + key - Two-key 3DES (16 bytes): key + key[:8]
alex
force-pushed
the
claude/enforce-tripledes-key-length-016zncCxwMyqoMNViGQ3a9JQ
branch
from
f0177b0 to
1937220
Compare
|
Have we tagged our downstreams to let them know about this? |
|
No, I was going to let the warning play that role. (Since this is a warning and not an immediate breakage.) |
|
We definitely have a recurring issue where people just generate the default, or sometimes even the shortest available, key for tests. And we don't have good infrastructure for responsiveness to warnings 😬 |
|
@glyph good news, the problem is far dumber: https://github.com/twisted/twisted/blob/506d17fb71abf213dc77cfe7b55eb1fafb5f2437/src/twisted/conch/test/test_transport.py#L702-L705 this assumes all keys have a size of 16 bytes, but that's wrong for 3des, it's key size is 24 bytes. If you fix that, I think twisted will be good. |
|
OK, unless I hear otherwise, I assume Twisted is good now |
|
Thanks a lot for the heads up, I've drafted a PR on our side to have this ready.
Heh yeah, for compat with ancient IPSEC, Kerberos and TLS cases. |
reaperhulk
deleted the
claude/enforce-tripledes-key-length-016zncCxwMyqoMNViGQ3a9JQ
branch
|
thanks for jumping on this! |
TripleDES now only accepts 24-byte (192-bit) keys. Users needing single DES (1-key) or two-key Triple DES compatibility must expand the key themselves:
This change removes the automatic key expansion that was previously done in the TripleDES constructor, making the key length requirement explicit and preventing accidental use of weaker key configurations.