On Thu, Aug 16, 2012 at 1:30 AM, Patrick Mylund Nielsen <[email protected]> wrote: > One curious note is that NIST recommends PBKDF2 for master key derivation, > and specifically write, "The MK [PBKDF2 output] shall not be used for other > purposes." Perhaps the document was meant to document just KDFs. Since the > hashes are one-way anyway, I don't see it making a difference for use as > "password digests."
Just being cautious, I guess. I'm sure there are stupid ways to use the MK and they are presumably hard to list. Anyway, if you want to conform, encrypt a bunch of zeroes using the MK and then use decryption to check correctness of password... > > > On Thu, Aug 16, 2012 at 2:15 AM, Jon Callas <[email protected]> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On Aug 15, 2012, at 4:50 PM, [email protected] >> wrote: >> >> > * PGP Signed by an unknown key >> > >> > Any reason PBKDF2 shouldn't be used for (storing) hashed passwords? >> > >> >> My recommendation is that you should use it. It's even got a NIST >> document, now: >> >> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf >> >> To be the most rigorous, use PBKDF2-HMAC-SHA[12]. It doesn't matter a lot >> which hash function you're using if you're doing the HMAC version. The major >> difference will be the number of iterations. SHA2 is slower than SHA1, so >> you'll use fewer iterations. SHA512 is faster on a 64-bit processor than >> SHA256, which puts a small wrench in things. >> >> Use lots of iterations. Calibrate them against real time -- enough for >> 100ms or more, for example, rather than a fixed count. If you're worried, >> then add more iterations. >> >> Jon >> >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Universal 3.2.0 (Build 1672) >> Charset: us-ascii >> >> wj8DBQFQLDuusTedWZOD3gYRAt0+AKC0jAKZS40IDBdYelX19y5pQ6zS5gCgpYhI >> dYokIg8zciE7iY5NrXVWkwc= >> =pSLW >> -----END PGP SIGNATURE----- >> _______________________________________________ >> cryptography mailing list >> [email protected] >> http://lists.randombit.net/mailman/listinfo/cryptography > > > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
