password based key-wrap (Re: The Crypto Gardening Guide and Planting Tips)

Anton Stiglic astiglic at
Fri Feb 7 09:22:45 PST 2003

----- Original Message -----
From: "Adam Back" <adam at>
To: "Peter Gutmann" <pgut001 at>
Cc: <cryptography at>; <cypherpunks at>; "Adam Back"
<adam at>
Sent: Thursday, February 06, 2003 8:07 PM
Subject: password based key-wrap (Re: The Crypto Gardening Guide and
Planting Tips)

> [...]
> Or is the problem that the above ensemble is ad-hoc (though using
> standardised constructs).  Or just that the ensemble is ad-hoc and so
> everyone will be forced to re-invent minor variations of it, with
> varying degrees of security.

One of the problems is exactly that.  There is no known proof of security
for PBKDF2 (it might be possible to come up with one, but to the best
of my knowledge nobody did so far).  Ironically, there are some proofs
of security for the older version of the same standard, PBKDF1 (which
was replaced by PBKDF2 only because the output of PBKDF1 was of
fixed length, so you couldn't derive much key material).  You can prove
some things about PBKDF1 relating to the fact that an adversary cannot
compute the result of PBKDF1 without having to compute a certain required
amount of hashes (this is the stretching part).  The details
of that are in the paper "Secure Applications of Low-Entropy
Keys" by Kelsey, Schneier, Hall and Wagner:

But I do think that PBKDF2 sounds reasonable, and I wouldn't be
surprised if we can prove something about it's security in some reasonable
model.  I would use PBKDF2 if I needed to wrap a session key
with only a password.

In general, the problems with existing proposed key derivation
functions is that they are all based on ad-hoc constructions.
There is a skunks work group trying to come up with a
proposal for a key derivation function which is based on some
provable secure results.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cypherpunks-legacy mailing list