[17469] in cryptography@c2.net mail archive
Re: expanding a password into many keys
daemon@ATHENA.MIT.EDU (John Kelsey)
Mon Jun 13 18:47:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 13 Jun 2005 16:34:11 -0400 (GMT-04:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: Ian G <iang@systemics.com>, cryptography@metzdowd.com
>From: Ian G <iang@systemics.com>
>Sent: Jun 12, 2005 11:27 AM
>To: cryptography@metzdowd.com
>Subject: expanding a password into many keys
>I'd like to take a password and expand it into several keys. It
>seems like a fairly simple operation of hashing the concatonatonation
>of the password with each key name in turn to get each key.
>Are there any 'gotchas' with that?
There's a length extension property with what you're doing, so if I
get to choose your key names, I can do something unpleasant to you.
Suppose I know the length of pass, and get to choose two key names,
K1_name and K2_name. You give me K1 = sha1( pass||K1_name), then I
need to guess K2_name. I can choose K2_name to be K1_name,
appropriately padded to the full block size exactly as it will be in
the SHA1 computation that produces K1. Then, I can compute K2 on my
own, because the only effect of the secret value "pass" on K2 is going
through K1.
This doesn't look like an especially realistic attack model, but I'm
not sure what you're doing with this....
>iang
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
