Robert, Appreciate the links to the articles, read them and they are very informative.
RFC 5869 does have this phrase: One significant example is the derivation of cryptographic keys from a source of low entropy, such as a user's password. The extract step in HKDF can concentrate existing entropy but cannot amplify entropy. This statement sounds like keys derived from a user's password might be weaker than keys derived from random input keying material. Is that not how one should interpret this statement in the RFC? Based on the popularity of password-based KDF, I'm guessing this is not a concern? To the pyca/cryptography team: Is the development of a KMAC module on the roadmap? And if so, kindly requesting to share the timeline for planning purposes. My team has a requirement to implement quantum-resistant algorithms when and where possible and since KMAC is quantum-resistant we're very much interested in adopting it. Best, PE On Sat, Jan 11, 2025 at 4:57 PM Robert Moskowitz <r...@htt-consult.com> wrote: > read > > RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF). H. > Krawczyk, P. Eronen. May 2010. (Format: TXT, HTML) (Status: > INFORMATIONAL) (DOI: 10.17487/RFC5869) > > On the proper way to use a keyed SHA2 hash as a KDF. > > Hash chains build off a secret key are considered not safe. > > For SHA3, KMAC (NIST SP800-185) is a proven KDF. > > See: > > > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1-upd1.pdf > > Sec 4.4. > > I have had the privilege of direct conversations with Dr. Krawczyk even > prior to his presentation on keyed hash attacks in 1995 and the reason for > the HMAC (RFC2104) construct. > > And I have had the privilege of following along with Team Keccak on the > development of what is now SHA3 and its derivatives. We are finally seeing > an uptick in replacing HMAC/HKDF with KMAC. > > On 1/10/25 17:00, Sriram R via Cryptography-dev wrote: > > Hello, > > I'm generating a key using Scrypt from a password supplied by the user. I > then use this key as follows. This works but my question to the experts: is > this an acceptable way to use the AESGCMSIV cipher? Am I doing something > that's fundamentally against best practices? In the examples on the > Cryptography site, the sample code snippet uses AESGCMSIV.generate_key() > method to generate the key instead. The requirement I have is to generate > the key that's based on a password. > > def gen_salt(size=32): > return secrets.token_bytes(size) > > def der_key(salt, password): > kdf = Scrypt(salt=salt, length=32, n=2**20, r=8, p=1) > return kdf.derive(password.encode()) > > def gen_symmkey(salt, password): > symmkey = der_key(salt, password) > return symmkey > > key = gen_symmkey(salt, password) > aesgcmsiv = AESGCMSIV(key) > > ct = aesgcmsiv.encrypt(nonce, file_data, aad) > with open(fname, "wb") as outfile: > outfile.write(ct) > > Best, > PE > > > _______________________________________________ > Cryptography-dev mailing > listCryptography-dev@python.orghttps://mail.python.org/mailman/listinfo/cryptography-dev > > >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
