expanding a password into many keys
Anne & Lynn Wheeler
lynn at garlic.com
Tue Jun 14 12:59:26 EDT 2005
Hal Finney wrote:
> The recommended technique I've seen for this (I think David Wagner
> suggested it on sci.crypt years ago) is to use a MAC:
>
> key = MAC (password, keyname)
>
> The security property of a MAC is that you can get as many messages MAC'd
> as you want, and you won't be able to guess a MAC on any new messages.
> That's exactly what you want here, that an attacker can learn keys when he
> knows or chooses keynames, but be unable to guess any keys for any other
> keynames. It's a good fit to the security requirements for your problem.
as previously noted ... financial industry has had a standard for
derived key for some time.
a variation on this is the interative hash for one-time password (except
the keyname became the server specific "salt" and there was added value
for the number of hash iterations) ... the claim was that it was
targeted for an end-user could walk up to an open environment w/o
anything other than their passphrase ... and be able to logon. various
MITM attacks against the server were examined ... however there wasn't
equal examination of MITM attacks against the end-user (i.e. providing a
count of one to the end-user ... so that attacker then can reproduce
all subsequent hash iteration values) ... misc. past postings
http://www.garlic.com/~lynn/2003n.html#1 public key vs passwd
authentication?
http://www.garlic.com/~lynn/2003n.html#2 public key vs passwd
authentication?
http://www.garlic.com/~lynn/2003n.html#3 public key vs passwd
authentication?
http://www.garlic.com/~lynn/2005i.html#50 XOR passphrase with a constant
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list