use KDF2 / IEEE1363a (Re: expanding a password into many keys)
Adam Back
adam at cypherspace.org
Tue Jun 14 15:42:45 EDT 2005
I suppose I should also have note that the master key going into KDF2
would be derived with PBKDF2 from a password if this is a password
derived set of keys, to get the extra features of a salt and iterator
to slow down brute force.
Adam
On Tue, Jun 14, 2005 at 04:21:39AM -0400, Adam Back wrote:
> The non-banking version of this is the KDF2 function in IEEE1363a.
>
> Same deal:
>
> void KDF2( const void* Z, int, const void* P, int, void* K, int );
>
> Z = master-key, P = permuter, K = derived key
>
> each is variable sized. (Sorry I implemented the source for someone
> who has the copyright or you could have that). It's very simple to
> implement however:
>
> key = SHA1( Z || 0 || P ) || SHA1( Z || 1 || P ) ...
>
> for as many bytes as you need. So I would eg use P = "AES" and P =
> "HMACS" to derive two different key. Looks like KDF2 has the same
> problem John mentioned, so don't do that (let attacker chose P).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list