use KDF2 / IEEE1363a (Re: expanding a password into many keys)
Adam Back
adam at cypherspace.org
Tue Jun 14 04:21:39 EDT 2005
The non-banking version of this is the KDF2 function in IEEE1363a.
Same deal:
void KDF2( const void* Z, int, const void* P, int, void* K, int );
Z = master-key, P = permuter, K = derived key
each is variable sized. (Sorry I implemented the source for someone
who has the copyright or you could have that). It's very simple to
implement however:
key = SHA1( Z || 0 || P ) || SHA1( Z || 1 || P ) ...
for as many bytes as you need. So I would eg use P = "AES" and P =
"HMACS" to derive two different key. Looks like KDF2 has the same
problem John mentioned, so don't do that (let attacker chose P).
Adam
On Mon, Jun 13, 2005 at 06:16:47PM -0600, Anne & Lynn Wheeler wrote:
> Ian G wrote:
> > I'd like to take a password and expand it into
> > several keys. It seems like a fairly simple operation
> > of hashing the concatonatonation of the password
> > with each key name in turn to get each key.
>
> there is financial standard for derived key per transaction
>
> from x9f taxonomy and glossary
> http://www.garlic.com/~lynn/x9f.htm
>
> derived unique key per transaction (DUKPT)
> A key management method which uses a unique key for each
> transaction, and prevents the disclosure of any past key used by the
> transaction originating TRSM. The unique Transaction Keys are derived
> from a base derivation key using only non-secret data transmitted as
> part of each transaction. [X924] (see also cryptographic key, transaction)
>
> ........
>
> basically you may be able to brute force an individual key w/o
> comprimising the "master key" (or any other keys derived from the master
> key).
>
> derived keys are used in other infrastructures beside financial
> transactions. some token based systems may simply use derived key per
> token (as opposed to per transaction) ... brute force of a particular
> token's key doesn't compromise either the overall infrastructure and/or
> other tokens in the infrastructure.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list