
Date: Tue, 5 Apr 2016 09:09:54 +0300 From: Aleksey Cherepanov <lyosha@...nwall.com> To: johndev@...ts.openwall.com Subject: questions about pbkdf2's binary/ciphertext size In pbkdf2_hmac_sha512_valid() in src/pbkdf2_hmac_common.c: len = strlen(ptr); // binary length if (len < PBKDF2_SHA512_BINARY_SIZE  len > PBKDF2_SHA512_MAX_BINARY_SIZE  len & 1) goto error; if (!ishex(ptr)) goto error; The first question: len is the length of hexed binary, so the given hash should not be shorter than half of full hash according to the code, is it ok? There is the following loop in pbkdf2_hmac_sha512_binary(): for (i = 0; i < PBKDF2_SHA512_BINARY_SIZE && *p; i++) { out[i] = (atoi16[ARCH_INDEX(*p)] << 4)  atoi16[ARCH_INDEX(p[1])]; p += 2; } So having half of hash, we would read after the end. But pbkdf2_hmac_sha512_cmp_exact() has a check for that. The second question: pbkdf2's derived key is constructed independent digests and we may just check our result against first/any, so longer derived keys does not improve security: they slowdown defensive implementation, but they do not slowdown attacker, because attacker needs to compute only 1 digest. So are there real hashes longer than 1 digest size? Thanks!  Regards, Aleksey Cherepanov
Powered by blists  more mailing lists