expanding a password into many keys
Ed Gerck
edgerck at nma.com
Mon Jun 13 19:24:02 EDT 2005
Ian,
You need to go beyond the scope of simple-minded PKCS recommendations
to calculate keys from passwords. If you want to improve security,
just adding padding and salt is not enough.
Yes, of course, your code should add padding, so that the sha1 argument
always has the same, fixed, length for any password and key name.
Further, as you know, passwords (especially if chosen by a user)
have low entropy... let's say 10 ~ 40 bits. Key names (constrained
by natural language) should also have low entropy per character.
The end result is that a dictionary attack could be quite easy to do,
if you are not careful on several fronts. You need to:
- define your threat model;
- warn users about bad passwords (not all bad pwds can be detected!);
- prevent really bad passwords from being used (ditto);
- prevent easy key names (ditto);
- estimate minimum lengths for passwords AND key names as a function
of all the above -- including the threat model;
- provide for key management, with revocation, expiration and roll-over,
before you face these needs without planning.
Cheers,
Ed Gerck
Ian G wrote:
> I'd like to take a password and expand it into
> several keys. It seems like a fairly simple operation
> of hashing the concatonatonation of the password
> with each key name in turn to get each key.
>
> Are there any 'gotchas' with that?
>
> iang
>
> PS: some psuedo code if the above is not clear.
>
> for k in {set of keys needed}
> do
> key[k] = sha1( pass | k );
> done
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list