lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 8 Mar 2014 01:06:07 +0000
From: Peter Gutmann <>
To: "" <>
Subject: Re: [PHC] Are password trailing 0's a problem? writes:

>Now don't get me wrong; HDKF is a fine piece of work, and the cryptographic
>arguments for its security are very good. Using it where you need a KDF looks
>like a good idea. However, it is in no way a "standard" in the same way as,
>say, PKCS#1 for RSA. PKCS#1 is indeed a good example, because it is also an
>"informational" RFC (RFC 3447), so it is not an "IETF standard" per se; but
>it is a "standard" by being de facto used everywhere, in particular by some
>actual "IETF standards" (e.g. RFC 3279 and 5756). 

It is sort-of an IETF standard... the situation is a lot more hazy than you
describe, there's a lot of supposedly-informational stuff that is in fact a
universal standard, including HMAC itself (RFC 2104).  The reason why some of
the informationals are informational is because there's no standards group to
publish them under, and they're pan-standards-groups (HMAC, for example, is
used all over the place, SSL/TLS, CMS/SMIME, IPsec, and many others).

The motivation for publishing HKDF was a reaction to this everywhere-but-
nowhere problem, every little standards group invented their own KDF, all
incompatible, with very little, if any, rigorous analysis.  HKDF was intended
to provide a single, universal KDF to sort out this mess.


Powered by blists - more mailing lists