At 12:31 AM +0100 7/18/2000, Paul Crowley wrote:
>A variant on this question that we might see for lots of questions
>soon: what's the best way to do this given only AES as a primitive?
>
>Here's a simple way that uses all of the passphrase to control a
>cryptographic PRNG that can be used to gene
A variant on this question that we might see for lots of questions
soon: what's the best way to do this given only AES as a primitive?
Here's a simple way that uses all of the passphrase to control a
cryptographic PRNG that can be used to generate keys or whatever: use
the passphrase as the key t
-BEGIN PGP SIGNED MESSAGE-
At 07:24 PM 6/27/00 +0100, Paul Crowley wrote:
>John Kelsey <[EMAIL PROTECTED]> writes:
...
>> A generalization of this idea is:
>>
>> S(K,len) is stream cipher output with key K and length of output
>> len. hash(X) is hash function output of same size as K. K
John Kelsey <[EMAIL PROTECTED]> writes:
> >If you don't mind the limitation of 1k of internal state, then
> >Panama could be used directly; push in your salt and passphrase,
> >padding to the edge of the block with one followed by zeroes, then
> >do 32 blank pulls and start pulling out your key.
-BEGIN PGP SIGNED MESSAGE-
At 08:48 AM 6/20/00 +0100, Paul Crowley wrote:
...
>If you don't mind the limitation of 1k of internal state, then
>Panama could be used directly; push in your salt and passphrase,
>padding to the edge of the block with one followed by zeroes, then
>do 32 blank
On Wed, Jun 21, 2000 at 12:19:50PM +0200, Niels Möller wrote:
> Bodo Moeller <[EMAIL PROTECTED]> writes:
>> On Tue, Jun 20, 2000 at 07:50:11PM +0200, Niels Möller wrote:
>>> That is specified in draft-ietf-secsh-transport-07.txt, the
>>> relevant section is
>>>
>>> : If the key length in longer
Bodo Moeller <[EMAIL PROTECTED]> writes:
> On Tue, Jun 20, 2000 at 07:50:11PM +0200, Niels Möller wrote:
>
> [...]
> > That is specified in draft-ietf-secsh-transport-07.txt, the
> > relevant section is
> >
> > : If the key length in longer than the output
> > : of the HASH, the key is extended
On Tue, Jun 20, 2000 at 07:50:11PM +0200, Niels Möller wrote:
[...]
> On the other hand, if you don't care about making the hashing
> artificially slow, but have a reasonable amount of entropy to start
> with and just want to stretch it, you may want to look at the way ssh2
> does that. (Say you
Ben Laurie <[EMAIL PROTECTED]> writes:
> OK, so if I've got a passphrase of arbitrary length, and I wish to
> condense it to make a key of length n bits (n > 160), what's the
> approved method(s) of doing that?
If you don't mind the limitation of 1k of internal state, then Panama
could be used di
Ben Laurie <[EMAIL PROTECTED]> writes:
> OK, so if I've got a passphrase of arbitrary length, and I wish to
> condense it to make a key of length n bits (n > 160), what's the
> approved method(s) of doing that?
If the input you start with is a typical passphrase (i.e. pretty
small entropy, say l
lcs Mixmaster Remailer wrote:
> Probably the best is to concatenate the output of multiple hashes. You
> could either use different ones like SHA and MD5, or you can get the
> effect of multiple hashes by just using SHA and putting a different
> constant prefix on the data for each instance. Us
On Tue, 20 Jun 2000, Ben Laurie wrote:
> Matt Blaze wrote:
> >
> > I should point out that this construction is not designed to obscure the
> > input from the output (especially under differential probing), only
> > to give you m output bits that depend (each in a different way) on
> > the ent
-BEGIN PGP SIGNED MESSAGE-
Ben Laurie wrote:
>
> OK, so if I've got a passphrase of arbitrary length, and I wish to
> condense it to make a key of length n bits (n > 160), what's the
> approved method(s) of doing that?
>
> I assume it goes without saying that we wish to preserve as much
Ben Laurie <[EMAIL PROTECTED]> writes:
>OK, so if I've got a passphrase of arbitrary length, and I wish to
>condense it to make a key of length n bits (n > 160), what's the
>approved method(s) of doing that?
PKCS #5 v2 probably contains the best key derivation mechanism, followed
closely by TLS,
> I'm not sure this is so good. In particular, it is entirely linear.
>
> The function f_{m,n} sending the one-bit input x to the one-bit output
> H(m|n|x) is always linear in its input (it always has the form f_{m,n}(x)
> = ax + b for appropriate a,b; the value of a,b depends on H,m,n but not
>
Matt Blaze wrote:
>
> I should point out that this construction is not designed to obscure the
> input from the output (especially under differential probing), only
> to give you m output bits that depend (each in a different way) on
> the entire input.
Perhaps I should add that as a requirement
Well, this is not intended as a general hash function - in particular, the
pattern of which input bits affect which output bits depends entirely on
the hash function and the bit position and not on the actual input. You
expect that flipping any one input bit will flip half the outputs, but
its al
> OK, so if I've got a passphrase of arbitrary length, and I wish to
> condense it to make a key of length n bits (n > 160), what's the
> approved method(s) of doing that?
>
> I assume it goes without saying that we wish to preserve as much entropy
> as we can, but I'll say it anyway.
I've thoug
Matt Blaze wrote:
>
> > OK, so if I've got a passphrase of arbitrary length, and I wish to
> > condense it to make a key of length n bits (n > 160), what's the
> > approved method(s) of doing that?
> >
> > I assume it goes without saying that we wish to preserve as much entropy
> > as we can, but
I should point out that this construction is not designed to obscure the
input from the output (especially under differential probing), only
to give you m output bits that depend (each in a different way) on
the entire input.
> > OK, so if I've got a passphrase of arbitrary length, and I wish to
OK, so if I've got a passphrase of arbitrary length, and I wish to
condense it to make a key of length n bits (n > 160), what's the
approved method(s) of doing that?
I assume it goes without saying that we wish to preserve as much entropy
as we can, but I'll say it anyway.
Cheers,
Ben.
--
http
21 matches
Mail list logo
