I suppose I should also have note that the master key going into KDF2 would be derived with PBKDF2 from a password if this is a password derived set of keys, to get the extra features of a salt and iterator to slow down brute force.
Adam On Tue, Jun 14, 2005 at 04:21:39AM -0400, Adam Back wrote: > The non-banking version of this is the KDF2 function in IEEE1363a. > > Same deal: > > void KDF2( const void* Z, int, const void* P, int, void* K, int ); > > Z = master-key, P = permuter, K = derived key > > each is variable sized. (Sorry I implemented the source for someone > who has the copyright or you could have that). It's very simple to > implement however: > > key = SHA1( Z || 0 || P ) || SHA1( Z || 1 || P ) ... > > for as many bytes as you need. So I would eg use P = "AES" and P = > "HMACS" to derive two different key. Looks like KDF2 has the same > problem John mentioned, so don't do that (let attacker chose P). --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]