[17489] in cryptography@c2.net mail archive
Re: use KDF2 / IEEE1363a (Re: expanding a password into many keys)
daemon@ATHENA.MIT.EDU (Adam Back)
Tue Jun 14 16:41:12 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 14 Jun 2005 15:42:45 -0400
From: Adam Back <adam@cypherspace.org>
To: Anne & Lynn Wheeler <lynn@garlic.com>
Cc: Ian G <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <20050614082139.GA18796@bitchcake.off.net>
I suppose I should also have note that the master key going into KDF2
would be derived with PBKDF2 from a password if this is a password
derived set of keys, to get the extra features of a salt and iterator
to slow down brute force.
Adam
On Tue, Jun 14, 2005 at 04:21:39AM -0400, Adam Back wrote:
> The non-banking version of this is the KDF2 function in IEEE1363a.
>
> Same deal:
>
> void KDF2( const void* Z, int, const void* P, int, void* K, int );
>
> Z = master-key, P = permuter, K = derived key
>
> each is variable sized. (Sorry I implemented the source for someone
> who has the copyright or you could have that). It's very simple to
> implement however:
>
> key = SHA1( Z || 0 || P ) || SHA1( Z || 1 || P ) ...
>
> for as many bytes as you need. So I would eg use P = "AES" and P =
> "HMACS" to derive two different key. Looks like KDF2 has the same
> problem John mentioned, so don't do that (let attacker chose P).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
