[19036] in cryptography@c2.net mail archive
Encryption using password-derived keys
daemon@ATHENA.MIT.EDU (Jack Lloyd)
Wed Nov 30 10:50:12 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 29 Nov 2005 11:08:35 -0500
From: Jack Lloyd <lloyd@randombit.net>
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
The basic scenario I'm looking at is encrypting some data using a
password-derived key (using PBKDF2 with sane salt sizes and iteration
counts). I am not sure if what I'm doing is sound practice or just pointless
overengineering and wanted to get a sanity check.
My inclination is to use the PBKDF2 output as a key encryption key, rather than
using it to directly key the cipher (with the key used for the cipher itself
being created by a good PRNG). For some reason the idea of using it directly
makes me nervous, but not in a way I can articulate, leading me to suspect I'm
worried over nothing.
So, assuming using it as a KEK makes sense: At first I thought to use XOR to
combine the two keys, but realized that could lead to related key attacks (by
just flipping bits in the field containing the encrypted key). That is probably
not a problem with good algorithms, but, then again, why take the chance; so I
was thinking instead using NIST's AES-wrap (or perhaps a less weirdly designed
variant of it that uses HMAC for integrity checking and AES in CBC mode for
confidentiality).
Am I thinking about this far harder than I should?
-Jack
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
