----- Original Message -----
From: "Adam Back"
[...] Or is the problem that the above ensemble is ad-hoc (though using standardised constructs). Or just that the ensemble is ad-hoc and so everyone will be forced to re-invent minor variations of it, with varying degrees of security.
One of the problems is exactly that. There is no known proof of security for PBKDF2 (it might be possible to come up with one, but to the best of my knowledge nobody did so far). Ironically, there are some proofs of security for the older version of the same standard, PBKDF1 (which was replaced by PBKDF2 only because the output of PBKDF1 was of fixed length, so you couldn't derive much key material). You can prove some things about PBKDF1 relating to the fact that an adversary cannot compute the result of PBKDF1 without having to compute a certain required amount of hashes (this is the stretching part). The details of that are in the paper "Secure Applications of Low-Entropy Keys" by Kelsey, Schneier, Hall and Wagner: http://www.counterpane.com/low-entropy.pdf But I do think that PBKDF2 sounds reasonable, and I wouldn't be surprised if we can prove something about it's security in some reasonable model. I would use PBKDF2 if I needed to wrap a session key with only a password. In general, the problems with existing proposed key derivation functions is that they are all based on ad-hoc constructions. There is a skunks work group trying to come up with a proposal for a key derivation function which is based on some provable secure results. --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com