NIST, the National Institute of Shameful Typos

Sunbathing on an idyllic tropical vacation, I was absently skimming over NIST's 3DES encryption specification, when suddenly I was harshly jolted out of my summer daze, coughing my piña colada out of my nose. One of the weak keys was wrong!

I'm not talking about one of the semi-weak keys, this is one of DES's four actual weak keys, for which the encryption operation is self-inverting – encrypting twice yields the original clear text.

The value of the weak key is given by NIST as
00000000 FFFFFFFF
but it should in fact be
(or FEFEFEFE FEFEFEFE if parity adjusted).

Go see for yourself:
NIST Special Publication 800-67, Version 1.1
Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
Revised 19 May 2008
Page 14, section 3.4.2, Weak Keys

At date of writing this remains the latest version of the document published on NIST's website.

Come on NIST, some of us are trying to relax.

Update from NIST:

Subject: Re: Typo in NIST's TDEA publication
Date: Thu, 7 Jun 2012 13:04:45 -0400

Apparently there is a copy of the old version of SP 800-67 on the server; however, it's not linked to by the official publication page ( The official publication page contains the January 2012 version of SP 800-67 with the corrected weak key.

On speaking with the web master, the link you provided on your blog is a to a folder on the server that contains the document files that are linked to from other pages. We're in the process of deleting the old file so this confusion doesn't happen again.

Thank you for pointing out the problem. We would appreciate it if you would correct your blog to indicate that the problem has been fixed and point to the correct version on the official publication page.

Ok, now I've got the correct link, I can finally get some rest.

But why can't I sleep? Why am I so restless? What's gnawing away at me, itching? Something feels wrong...

Oh dear god no, anything but that! It's another typo! That same weak key is now one byte short! The first group contains three bytes of FE but it should be four. That is, FEFEFE should be FEFEFEFE.

Pass the benzodiazepines please.

Update from NIST:

Subject: Re: Typo in NIST's TDEA publication
Date: Thu, 7 Jun 2012 14:53:19 -0400

You are right! Will get it fixed.