expanding a password into many keys
John Kelsey
kelsey.j at ix.netcom.com
Mon Jun 13 16:34:11 EDT 2005
>From: Ian G <iang at systemics.com>
>Sent: Jun 12, 2005 11:27 AM
>To: cryptography at metzdowd.com
>Subject: expanding a password into many keys
>I'd like to take a password and expand it into several keys. It
>seems like a fairly simple operation of hashing the concatonatonation
>of the password with each key name in turn to get each key.
>Are there any 'gotchas' with that?
There's a length extension property with what you're doing, so if I
get to choose your key names, I can do something unpleasant to you.
Suppose I know the length of pass, and get to choose two key names,
K1_name and K2_name. You give me K1 = sha1( pass||K1_name), then I
need to guess K2_name. I can choose K2_name to be K1_name,
appropriately padded to the full block size exactly as it will be in
the SHA1 computation that produces K1. Then, I can compute K2 on my
own, because the only effect of the secret value "pass" on K2 is going
through K1.
This doesn't look like an especially realistic attack model, but I'm
not sure what you're doing with this....
>iang
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list