On Wed, Sep 08, 2010 at 02:21:18PM -0700, Jon Callas wrote: > Not really. PBKDF2 has the advantage that you can use any PRF in > it. The most common PRF is some HMAC, which is a one-way > function. You could use a two-way function like AES in it, and get > the property you want. But if you use a two-way function, that means > you can reverse the derived key to get the password that the key is > derived from.
Is this really true in the case of PBKDF2? It keys the PRF based on the password; even if your PRF is invertible, that would seem to require keeping the key (ie, password) or the key schedule (which is equivalent in the case of AES) available to be able to add further iterations. It occurs to me that you could actually re-stretch a PBKDF2 hash based on HMAC if you kept around the chaining variables resulting from H(k ^ ipad) and H(k ^ opad); this would be sufficient to allow continuing the chaining. Of course, if someone can get these chaining variables, it would be a much easier target for cracking than going after PBKDF2 directly, so keeping them around in long term storage doesn't seem like a great idea. -Jack _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
