Is this not the old chained crypto argument? It comes down to whether or not you believe is, or will be, an attack known or unknown upon any singular or combined crypto choice. If you do believe, which is reasonable given prior crypto has been broken and that all knowledge is never public, then compose your own function of different crypto designs (ex: TrueCrypt chained three). If not, go with whatever single crypto looks good and serves the design of your application. It's just a function... with combined odds against breaks, and it's good to design against known expenses of the adversary like time and memory. Just don't break it while implementing it.
No useable KDF will help if "12345" is the passphrase. And 40 random of printable ascii chars are stronger than any 256 bit KDF. Seems to me it's not better KDF that's needed, but better memory. http://en.wikipedia.org/wiki/Simon_(game) http://www.recordholders.org/en/list/memory.html Or just write it down on the other side of the airgap. If that's not doable, then you resort to the KDF bits game for expected weak inputs. The tradeoff there is useability. Nobody is going to wait five minutes for their idiot passphrase of "12345" to go through some elite, but ultimately useless in that case, KDF. Password checkers can enforce some minimum bits there. Regardless, you still have the law, the rubber hose, and your own backup plan to contend with. Good luck. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
