lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 07 Apr 2014 14:41:26 +0200
From: Christian Forler <>
Subject: Re: [PHC] Re: Mechanical tests

On 05.04.2014 19:24, Daniel Franke wrote:
> The definition of weakly-secure KDF, given in
> requires the
> adversary to distinguish the output of the KDF from uniformly-random
> output of equal length. In the case where the KDF's output is 1000 bits
> long with each bit carrying 1/10th bit of entropy, the adversary can,
> with high probability, win this game in a single query just by counting
> Hamming weight.
> In terms of practical rather than mathematical security, "assuming the
> *full* output is being used" is unreasonable. If a function is sold to
> me as a KDF, I expect to safely be able to destructure its output in
> order to derive multiple keys from a single invocation.

I would not recommend to derive multiple keys by splitting up a KDF
output. You should either use a KDF which supports the derivation of
multiple key from a single password (e.g. Catena-KG. :-)) or use
different passwords for each key.

Best regards,

Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)

Powered by blists - more mailing lists