Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 5 Apr 2016 09:09:54 +0300
From: Aleksey Cherepanov <>
Subject: questions about pbkdf2's binary/ciphertext size

In pbkdf2_hmac_sha512_valid() in src/pbkdf2_hmac_common.c:

	len = strlen(ptr); // binary length
	if (len < PBKDF2_SHA512_BINARY_SIZE || len > PBKDF2_SHA512_MAX_BINARY_SIZE || len & 1)
		goto error;
	if (!ishex(ptr))
		goto error;

The first question: len is the length of hexed binary, so the given
hash should not be shorter than half of full hash according to the
code, is it ok?

There is the following loop in pbkdf2_hmac_sha512_binary():
	for (i = 0; i < PBKDF2_SHA512_BINARY_SIZE && *p; i++) {
		out[i] =
			(atoi16[ARCH_INDEX(*p)] << 4) |
		p += 2;

So having half of hash, we would read after the end. But
pbkdf2_hmac_sha512_cmp_exact() has a check for that.

The second question: pbkdf2's derived key is constructed independent
digests and we may just check our result against first/any, so longer
derived keys does not improve security: they slowdown defensive
implementation, but they do not slowdown attacker, because attacker
needs to compute only 1 digest. So are there real hashes longer than 1
digest size?


Aleksey Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.