use KDF2 / IEEE1363a (Re: expanding a password into many keys)

Adam Back adam at cypherspace.org
Tue Jun 14 04:21:39 EDT 2005 

The non-banking version of this is the KDF2 function in IEEE1363a.

Same deal:  

void KDF2( const void* Z, int, const void* P, int, void* K, int );

Z = master-key, P = permuter, K = derived key

each is variable sized.  (Sorry I implemented the source for someone
who has the copyright or you could have that).  It's very simple to
implement however:

key = SHA1( Z || 0 || P ) || SHA1( Z || 1 || P ) ...

for as many bytes as you need.  So I would eg use P = "AES" and P =
"HMACS" to derive two different key.  Looks like KDF2 has the same
problem John mentioned, so don't do that (let attacker chose P).

Adam

On Mon, Jun 13, 2005 at 06:16:47PM -0600, Anne & Lynn Wheeler wrote:
> Ian G wrote:
> > I'd like to take a password and expand it into
> > several keys.  It seems like a fairly simple operation
> > of hashing the concatonatonation of the password
> > with each key name in turn to get each key.
> 
> there is financial standard for derived key per transaction
> 
> from x9f taxonomy and glossary
> http://www.garlic.com/~lynn/x9f.htm
> 
> derived unique key per transaction (DUKPT)
>     A key management method which uses a unique key for each
> transaction, and prevents the disclosure of any past key used by the
> transaction originating TRSM. The unique Transaction Keys are derived
> from a base derivation key using only non-secret data transmitted as
> part of each transaction. [X924] (see also cryptographic key, transaction)
> 
> ........
> 
> basically you may be able to brute force an individual key w/o
> comprimising the "master key" (or any other keys derived from the master
> key).
> 
> derived keys are used in other infrastructures beside financial
> transactions. some token based systems may simply use derived key per
> token (as opposed to per transaction) ... brute force of a particular
> token's key doesn't compromise either the overall infrastructure and/or
> other tokens in the infrastructure.
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list