At 10:34 2005-06-14 -0700, Eric Rescorla wrote:
Hash-based constructions are the standard here, but I'm generally leary of using a pure hash. Probably the best basic function is to use HMAC(P,L_i) or perhaps HMAC(H(P),L_i), since HMAC wasn't designed to be used with non-random key values. You'd need someone with a better understanding of hash functions than I have to tell you which one of these is better.
You know, the proof that HMAC is a good MAC requires that the *compression function* of the underlying hash is good. And for almost all applications like this one, both the input password and the sequence number, tag name, or whatever the second input is, all fit into a single compression function block. So you already get exactly what you need from the hash function, without needing the extra layer or two. They can't hurt much(*), but they don't actually help either.
(*) actually each layer reduces the space of output keys slightly; not enough to matter in practice, but it is actually infinitesimally worse than just doing the hash.
Greg. Greg Rose INTERNET: [EMAIL PROTECTED] Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766 5775 Morehouse Drive http://people.qualcomm.com/ggr/ San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]