I'm looking into how passwords should be transferred into keys for the loopback filesystem in Linux. Currently, what happens is that you take the SHA or RIPEMD-160 hash of the password string and use that as a key. If the cipher only uses a 128-bit key, the last 32 bits of the hash is unused. I have some questions about this scheme: o In the case of a 128-bit cipher, do I lose any information by not using the last 32 bits of information? Should the last 32 bits be xored with the first 128 in order to not lose any info? o Is there any advantage to _not_ using a 256-bit hash function? (i.e - use a 128-bit hash for 128-bit ciphers). Currently there are lots of AES ciphers that don't get fed a 256-bit key because we only have a 160-bit hash. o Is there a good 256-bit hash function? I don't know of any other than snefru. In this application, speed doesn't matter much. Should I use a 256-bit cipher instead maybe? o Is it safe to always take the hash of the password, or is it better to use the password directly as the key if it is less than 16 characters for 128-bit cipher? astor -- Alexander Kjeldaas, Guardian Networks AS, Trondheim, Norway http://www.guardian.no/