Ben Laurie <[EMAIL PROTECTED]> writes:
> OK, so if I've got a passphrase of arbitrary length, and I wish to
> condense it to make a key of length n bits (n > 160), what's the
> approved method(s) of doing that?
If the input you start with is a typical passphrase (i.e. pretty
small entropy, say less than 40 or 50 bits), I guess you should
follow Peter's advise and look at PKCS#5 v2, which was specifically
designed for this.
On the other hand, if you don't care about making the hashing
artificially slow, but have a reasonable amount of entropy to start
with and just want to stretch it, you may want to look at the way ssh2
does that. (Say you have a 100+ bit shared secret and need to get two
256 bit twofish keys and 2 iv:s, 768 bits in all). That is specified
in draft-ietf-secsh-transport-07.txt, the relevant section is
: If the key length in longer than the output
: of the HASH, the key is extended by computing HASH of the concatenation
: of K and H and the entire key so far, and appending the resulting bytes
: (as many as HASH generates) to the key. This process is repeated until
: enough key material is available; the key is taken from the beginning of
: this value. In other words,
:
: K1 = HASH(K || H || X || session_id) (X is e.g. "A")
: K2 = HASH(K || H || K1)
: K3 = HASH(K || H || K1 || K2)
: ...
: key = K1 || K2 || K3 || ...
Here, K is the secret being stretched, and H is an "exchange hash"
that can probably be ignored in this context. The X is different for
the keys that are generated from the same secret.
I haven't tried to analyze this. Of course, I'm interested in any
weaknesses in it. I haven't seen much public analysis of the ssh-2
protocols.
/Niels
