On Thu, Jan 05, 2012 at 12:45:14PM +1300, Peter Gutmann wrote:
Thor Lancelot Simon t...@panix.com writes:
However, while looking at it I have been wondering why something simpler and
better analyzed than the folded SHA should not be used.
Folding the output is belt-and-suspenders security,
On 6/01/12 03:56 AM, Thor Lancelot Simon wrote:
On Thu, Jan 05, 2012 at 12:45:14PM +1300, Peter Gutmann wrote:
Thor Lancelot Simont...@panix.com writes:
However, while looking at it I have been wondering why something simpler and
better analyzed than the folded SHA should not be used.
On Fri, Jan 06, 2012 at 07:59:30AM +1100, ianG wrote:
The way I treat this problem is that it is analogous to inventing
ones own algorithm. From that perspective, one can ask:
What is? The folded SHA, or the use of HMAC?
You do understand why it's important to obscure what's mixed back in,
On Jan 5, 2012, at 4:46 PM, Thor Lancelot Simon wrote:
On Fri, Jan 06, 2012 at 07:59:30AM +1100, ianG wrote:
The way I treat this problem is that it is analogous to inventing
ones own algorithm. From that perspective, one can ask:
What is? The folded SHA, or the use of HMAC?
You do
On 01/05/2012 03:46 PM, Thor Lancelot Simon wrote:
I am asking whether the
use of HMAC with two different, well known keys, one for each purpose,
is better or worse than using the folded output of a single SHA
invocation for one purpose and the unfolded output of that same
invocation for the
On 01/05/2012 05:59 PM, Thor Lancelot Simon wrote:
FWIW, using HMAC like this is the extract step of the two-step
extract-expand HMAC based construction that is HKDF
From http://tools.ietf.org/html/draft-krawczyk-hkdf-01
2.2. Step 1: Extract
PRK = HKDF-Extract(salt, IKM)
Options:
On Thu, Jan 5, 2012 at 1:47 AM, Thor Lancelot Simon t...@panix.com wrote:
Eventually I will replace it with a multi-pool implementation like
Fortuna. However, I'm trying to make incremental improvements while
waiting for that mythical great extent of free time to appear.
Why do you want to
I'm working on the entropy-pool code in NetBSD, which began its life
many years ago as a simplified implementation of the same ideas behind
the Linux /dev/random implementation.
The NetBSD implementation now keys a stream generator from the pool
rather than directly outputting pool bits, but the
Thor Lancelot Simon t...@panix.com writes:
However, while looking at it I have been wondering why something simpler and
better analyzed than the folded SHA should not be used.
Folding the output is belt-and-suspenders security, it denies an attacker
direct access to the raw output of whatever