RFC 3961, "Encryption and Checksum Specifications for Kerberos 5", February 2005Source of RFC: krb-wg (sec)
Errata ID: 6973
Publication Format(s) : TEXT
Reported By: Paul Miller
Date Reported: 2022-05-12
Section 6.2 says:
6.2.1: key-generation seed 8 bytes length random-to-key des_random_to_key 6.2.2: key-generation seed 8 bytes length random-to-key copy input, then fix parity bits 6.2.3: key-generation seed 8 bytes length random-to-key copy input, then fix parity bits
It should say:
All sections: key-generation seed 7 bytes length random-to-key des_random_to_key
Section 6.2 describes the random-to-key operation as:
For generation of a key from a random bitstring, we start with a 56-
bit string and, as with the string-to-key operation above, insert
parity bits. If the result is a weak or semi-weak key, we modify it
by eXclusive-OR with the constant 0x00000000000000F0:
For 6.2.1, the input should be 56-bits, not 64.
For 6.2.2 and 6.2.3, the random-to-key must also correct weak keys and not just the parity as currently described.
Of course, this is all purely of academic interest as the 10-year anniversary of RFC6649 deprecating single DES is coming up in a couple of weeks. The distinction between a "weak" single DES key and a correctly generated random key only matters if your adversary is restricted to using graphing calculators.