Re: [Cryptography-dev] KDF Question

Sat, 11 Jan 2025 17:07:23 -0800 

read

RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF). H.
     Krawczyk, P. Eronen. May 2010. (Format: TXT, HTML) (Status:
     INFORMATIONAL) (DOI: 10.17487/RFC5869)

On the proper way to use a keyed SHA2 hash as a KDF.

Hash chains build off a secret key are considered not safe.

For SHA3, KMAC (NIST SP800-185) is a proven KDF.

See:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1-upd1.pdf

Sec 4.4.
I have had the privilege of direct conversations with Dr. Krawczyk even prior to his presentation on  keyed hash attacks in 1995 and the reason for the HMAC (RFC2104) construct.
And I have had the privilege of following along with Team Keccak on the development of what is now SHA3 and its derivatives.  We are finally seeing an uptick in replacing HMAC/HKDF with KMAC. 

On 1/10/25 17:00, Sriram R via Cryptography-dev wrote:

Hello,
I'm generating a key using Scrypt from a password supplied by the user. I then use this key as follows. This works but my question to the experts: is this an acceptable way to use the AESGCMSIV cipher? Am I doing something that's fundamentally against best practices? In the examples on the Cryptography site, the sample code snippet uses AESGCMSIV.generate_key() method to generate the key instead. The requirement I have is to generate the key that's based on a password. 

def gen_salt(size=32):
  return secrets.token_bytes(size)

def der_key(salt, password):
  kdf = Scrypt(salt=salt, length=32, n=2**20, r=8, p=1)
  return kdf.derive(password.encode())

def gen_symmkey(salt, password):
  symmkey = der_key(salt, password)
  return symmkey

 key = gen_symmkey(salt, password)
 aesgcmsiv = AESGCMSIV(key)

ct = aesgcmsiv.encrypt(nonce, file_data, aad)
with open(fname, "wb") as outfile:
     outfile.write(ct)

Best,
PE


_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to