expanding a password into many keys
Greg Rose
ggr at qualcomm.com
Tue Jun 14 14:54:08 EDT 2005
At 10:34 2005-06-14 -0700, Eric Rescorla wrote:
>Hash-based constructions are the standard here, but I'm generally
>leary of using a pure hash. Probably the best basic function is to use
>HMAC(P,L_i) or perhaps HMAC(H(P),L_i), since HMAC wasn't designed to
>be used with non-random key values. You'd need someone with a better
>understanding of hash functions than I have to tell you which one of
>these is better.
You know, the proof that HMAC is a good MAC requires that the *compression
function* of the underlying hash is good. And for almost all applications
like this one, both the input password and the sequence number, tag name,
or whatever the second input is, all fit into a single compression function
block. So you already get exactly what you need from the hash function,
without needing the extra layer or two. They can't hurt much(*), but they
don't actually help either.
(*) actually each layer reduces the space of output keys slightly; not
enough to matter in practice, but it is actually infinitesimally worse than
just doing the hash.
Greg.
Greg Rose INTERNET: ggr at qualcomm.com
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drive http://people.qualcomm.com/ggr/
San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list