[147638] in cryptography@c2.net mail archive
Re: [Cryptography] Key stretching
daemon@ATHENA.MIT.EDU (John Kelsey)
Fri Oct 11 17:53:43 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <CAMm+LwiptxOdkkbdCQR+tK41bKjvnBUe48dfYeg1210d2uhtsQ@mail.gmail.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Fri, 11 Oct 2013 15:30:04 -0400
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5608737292688277907==
Content-Type: multipart/alternative;
boundary=Apple-Mail-8EBD396A-DE76-4DA8-8E7D-B9D515254858
Content-Transfer-Encoding: 7bit
--Apple-Mail-8EBD396A-DE76-4DA8-8E7D-B9D515254858
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
AES128, rather.
Sent from my iPhone
On Oct 11, 2013, at 11:26 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:=
> All,
>=20
> Quick question, anyone got a good scheme for key stretching?
>=20
> I have this scheme for managing private keys that involves storing them as=
encrypted PKCS#8 blobs in the cloud.
>=20
> AES128 seems a little on the weak side for this but there are (rare) circu=
mstances where a user is going to need to type in the key for recovery purpo=
ses so I don't want more than 128 bits of key to type in (I am betting that 1=
28 bits is going to be sufficient to the end of Moore's law).
>=20
>=20
> So the answer is to use AES 256 and stretch the key, but how? I could just=
repeat the key:
>=20
> K =3D k + k
>=20
> Related key attacks make me a little nervous though. Maybe:
>=20
> K =3D (k + 01234567) XOR SHA512 (k)
>=20
>=20
> --=20
> Website: http://hallambaker.com/
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
--Apple-Mail-8EBD396A-DE76-4DA8-8E7D-B9D515254858
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: 7bit
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>AES128, rather.<br><br>Sent from my iPhone</div><div><br>On Oct 11, 2013, at 11:26 AM, Phillip Hallam-Baker <<a href="mailto:hallam@gmail.com">hallam@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">All,<div><br></div><div>Quick question, anyone got a good scheme for key stretching?</div><div><br></div><div>I have this scheme for managing private keys that involves storing them as encrypted PKCS#8 blobs in the cloud.</div>
<div><br></div><div>AES128 seems a little on the weak side for this but there are (rare) circumstances where a user is going to need to type in the key for recovery purposes so I don't want more than 128 bits of key to type in (I am betting that 128 bits is going to be sufficient to the end of Moore's law).</div>
<div><br></div><div><br></div><div>So the answer is to use AES 256 and stretch the key, but how? I could just repeat the key:</div><div><br></div><div>K = k + k</div><div><br></div><div>Related key attacks make me a little nervous though. Maybe:</div>
<div><br></div><div>K = (k + 01234567) XOR SHA512 (k)</div><div><br clear="all"><div><br></div>-- <br>Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><br>
</div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>The cryptography mailing list</span><br><span><a href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a></span><br><span><a href="http://www.metzdowd.com/mailman/listinfo/cryptography">http://www.metzdowd.com/mailman/listinfo/cryptography</a></span></div></blockquote></body></html>
--Apple-Mail-8EBD396A-DE76-4DA8-8E7D-B9D515254858--
--===============5608737292688277907==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5608737292688277907==--
