At 12:31 AM +0100 7/18/2000, Paul Crowley wrote:
>A variant on this question that we might see for lots of questions
>soon: what's the best way to do this given only AES as a primitive?
>
>Here's a simple way that uses all of the passphrase to control a
>cryptographic PRNG that can be used to generate keys or whatever: use
>the passphrase as the key to the block cipher, and run it in counter
>mode.
>
>If the passphrase is less than 256 bits (32 characters), this works
>directly. If it's less than 64 characters, use Triple-AES. In
>general, I assume that to use a key n times longer than the native key
>length of the block cipher, you need to run it in 2n-1 mode; I'm
>pretty sure this is so if the meet-in-the-middle attack is the only
>one you have to worry about. Append a 1 bit to the passphrase, then
>fill to the next key boundary with zeroes as usual.
>
>This takes O(mn) time, where n is the passphrase length and m is the
>number of key bits you need. I suspect any good solution will have
>this property. Still, you only have to keyschedule n times and things
>should be pretty fast after that.
>
>Any thoughts on the security or efficiency of this proposal?
>--
I don't understand how a meet-in -the-middle attack applies to
passphrase entropy extraction. Longer running time may be desirable
from a key stretching perspective, but I don't see a security
requirement. Am I missing something?
Arnold Reinhold
