>From: Ian G <[EMAIL PROTECTED]> >Sent: Jun 12, 2005 11:27 AM >To: [email protected] >Subject: expanding a password into many keys
>I'd like to take a password and expand it into several keys. It >seems like a fairly simple operation of hashing the concatonatonation >of the password with each key name in turn to get each key. >Are there any 'gotchas' with that? There's a length extension property with what you're doing, so if I get to choose your key names, I can do something unpleasant to you. Suppose I know the length of pass, and get to choose two key names, K1_name and K2_name. You give me K1 = sha1( pass||K1_name), then I need to guess K2_name. I can choose K2_name to be K1_name, appropriately padded to the full block size exactly as it will be in the SHA1 computation that produces K1. Then, I can compute K2 on my own, because the only effect of the secret value "pass" on K2 is going through K1. This doesn't look like an especially realistic attack model, but I'm not sure what you're doing with this.... >iang --John Kelsey --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
