lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Apr 2014 10:25:27 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Deriving multiple keys (was RE: Mechanical tests)

Christian Forler <christian.forler@...-weimar.de> writes:

>Let H be a KDF and let K1||K2 = H(PWD || salt).  Are K1 and K2 be
>considered to be independent?

No.

>Personally, I would feel better when using the following key derivation
>algorithm.
>
>y= H(PWD || salt)
>K1' =   F(y, 1)
>K2' =   F(y, 2)

This is how existing crypto protocols like TLS and CMS do it, typically you
denote the operation via some diversifier, e.g. TLS uses "CLNT" and "SRVR"
(actually for the MAC, but a similar thing), CMS uses:

  MAC-K := PRF( master_secret, "authentication" );
  CEK-K := PRF( master_secret, "encryption" );

(disclaimer: I wrote the RFC), and there are probably others.

>where F is a cryptographic hash function. Here you have only two additional
>hash function calls and since (y, 1) != (y,2) one can argue that K1' and K2'
>are pairwise independent. But is hard to argue that K1 and K2 are pairwise
>independent.

Exactly.  I'm not sure if this is explicitly recorded anywhere, but it's
certainly part of the crypto folklore that you don't use the same PRF output
to generate keys for different purposes.

Peter.

Powered by blists - more mailing lists