| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9A043F3CF02CD34C8E74AC1594475C737238831F@uxcn10-6.UoA.auckland.ac.nz> Date: Sat, 8 Mar 2014 01:06:07 +0000 From: Peter Gutmann <pgut001@...auckland.ac.nz> To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: Re: [PHC] Are password trailing 0's a problem? pornin@...et.org writes: >Now don't get me wrong; HDKF is a fine piece of work, and the cryptographic >arguments for its security are very good. Using it where you need a KDF looks >like a good idea. However, it is in no way a "standard" in the same way as, >say, PKCS#1 for RSA. PKCS#1 is indeed a good example, because it is also an >"informational" RFC (RFC 3447), so it is not an "IETF standard" per se; but >it is a "standard" by being de facto used everywhere, in particular by some >actual "IETF standards" (e.g. RFC 3279 and 5756). It is sort-of an IETF standard... the situation is a lot more hazy than you describe, there's a lot of supposedly-informational stuff that is in fact a universal standard, including HMAC itself (RFC 2104). The reason why some of the informationals are informational is because there's no standards group to publish them under, and they're pan-standards-groups (HMAC, for example, is used all over the place, SSL/TLS, CMS/SMIME, IPsec, and many others). The motivation for publishing HKDF was a reaction to this everywhere-but- nowhere problem, every little standards group invented their own KDF, all incompatible, with very little, if any, rigorous analysis. HKDF was intended to provide a single, universal KDF to sort out this mess. Peter.
Powered by blists - more mailing lists