lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 07 Apr 2014 14:41:26 +0200
From: Christian Forler <christian.forler@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Re: Mechanical tests

On 05.04.2014 19:24, Daniel Franke wrote:
[...]
> The definition of weakly-secure KDF, given in
> http://palms.ee.princeton.edu/PALMSopen/yao05design.pdf requires the
> adversary to distinguish the output of the KDF from uniformly-random
> output of equal length. In the case where the KDF's output is 1000 bits
> long with each bit carrying 1/10th bit of entropy, the adversary can,
> with high probability, win this game in a single query just by counting
> Hamming weight.
> 
> In terms of practical rather than mathematical security, "assuming the
> *full* output is being used" is unreasonable. If a function is sold to
> me as a KDF, I expect to safely be able to destructure its output in
> order to derive multiple keys from a single invocation.

I would not recommend to derive multiple keys by splitting up a KDF
output. You should either use a KDF which supports the derivation of
multiple key from a single password (e.g. Catena-KG. :-)) or use
different passwords for each key.

Best regards,
Christian








Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)

Powered by blists - more mailing lists