In my situation, I choose the password/passphrase and shared with the a single user who will be using my encrypt/decrypt Python module I developed. Which means, I get to set the passphrase to a very reasonable length. And also I have control of how often the passphrase should be changed.
On Sun, Jan 12, 2025, 9:37 AM Robert Moskowitz <r...@htt-consult.com> wrote: > I have a number of places to test KMAC in protocols. Both as an HMAC and > HKDF replacement. > > On 1/12/25 12:08, Sriram R wrote: > > While I'm unable to contribute as a developer due to time constraints, I > certainly wouldn't mind volunteering for testing things before a GA > release. Should there be a need for it. > > On Sun, Jan 12, 2025, 9:04 AM Alex Gaynor <alex.gay...@gmail.com> wrote: > >> There's a request for KMAC, >> https://github.com/pyca/cryptography/issues/12141. Thus far no work >> has happened on it. If you're interested in contributing, we're happy >> to review a PR. >> >> Alex >> >> On Sun, Jan 12, 2025 at 12:02 PM Sriram R via Cryptography-dev >> <cryptography-dev@python.org> wrote: >> > >> > Robert, >> > >> > Appreciate the links to the articles, read them and they are very >> informative. >> > >> > RFC 5869 does have this phrase: >> > >> > One significant example is the derivation of cryptographic >> > keys from a source of low entropy, such as a user's password. The >> > extract step in HKDF can concentrate existing entropy but cannot >> > amplify entropy. >> > >> > This statement sounds like keys derived from a user's password might be >> weaker than keys derived from random input keying material. Is that not how >> one should >> > interpret this statement in the RFC? >> > >> > Based on the popularity of password-based KDF, I'm guessing this is not >> a concern? >> > >> > To the pyca/cryptography team: >> > >> > Is the development of a KMAC module on the roadmap? And if so, kindly >> requesting to share the timeline for planning purposes. My team has a >> requirement to implement >> > >> > quantum-resistant algorithms when and where possible and since KMAC is >> quantum-resistant we're very much interested in adopting it. >> > >> > >> > Best, >> > >> > PE >> > >> > >> > On Sat, Jan 11, 2025 at 4:57 PM Robert Moskowitz <r...@htt-consult.com> >> wrote: >> >> >> >> read >> >> >> >> RFC 5869 HMAC-based Extract-and-Expand Key Derivation Function (HKDF). >> H. >> >> Krawczyk, P. Eronen. May 2010. (Format: TXT, HTML) (Status: >> >> INFORMATIONAL) (DOI: 10.17487/RFC5869) >> >> >> >> On the proper way to use a keyed SHA2 hash as a KDF. >> >> >> >> Hash chains build off a secret key are considered not safe. >> >> >> >> For SHA3, KMAC (NIST SP800-185) is a proven KDF. >> >> >> >> See: >> >> >> >> >> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1-upd1.pdf >> >> >> >> Sec 4.4. >> >> >> >> I have had the privilege of direct conversations with Dr. Krawczyk >> even prior to his presentation on keyed hash attacks in 1995 and the >> reason for the HMAC (RFC2104) construct. >> >> >> >> And I have had the privilege of following along with Team Keccak on >> the development of what is now SHA3 and its derivatives. We are finally >> seeing an uptick in replacing HMAC/HKDF with KMAC. >> >> >> >> On 1/10/25 17:00, Sriram R via Cryptography-dev wrote: >> >> >> >> Hello, >> >> >> >> I'm generating a key using Scrypt from a password supplied by the >> user. I then use this key as follows. This works but my question to the >> experts: is this an acceptable way to use the AESGCMSIV cipher? Am I doing >> something that's fundamentally against best practices? In the examples on >> the Cryptography site, the sample code snippet uses >> AESGCMSIV.generate_key() method to generate the key instead. The >> requirement I have is to generate the key that's based on a password. >> >> >> >> def gen_salt(size=32): >> >> return secrets.token_bytes(size) >> >> >> >> def der_key(salt, password): >> >> kdf = Scrypt(salt=salt, length=32, n=2**20, r=8, p=1) >> >> return kdf.derive(password.encode()) >> >> >> >> def gen_symmkey(salt, password): >> >> symmkey = der_key(salt, password) >> >> return symmkey >> >> >> >> key = gen_symmkey(salt, password) >> >> aesgcmsiv = AESGCMSIV(key) >> >> >> >> ct = aesgcmsiv.encrypt(nonce, file_data, aad) >> >> with open(fname, "wb") as outfile: >> >> outfile.write(ct) >> >> >> >> Best, >> >> PE >> >> >> >> >> >> _______________________________________________ >> >> Cryptography-dev mailing list >> >> Cryptography-dev@python.org >> >> https://mail.python.org/mailman/listinfo/cryptography-dev >> >> >> >> >> > _______________________________________________ >> > Cryptography-dev mailing list >> > Cryptography-dev@python.org >> > https://mail.python.org/mailman/listinfo/cryptography-dev >> >> >> >> -- >> All that is necessary for evil to succeed is for good people to do >> nothing. >> > >
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
