Discussion:
derive key from password
(too old to reply)
machiel
2005-05-11 11:42:26 UTC
Permalink
If one derives a key from a password (among other elements) what is
accepted cryptographic procedure in terms of security?

1. Can we re-use this key more than once for ciphering data without
the risk of extraction/deduction of the password by comparing the
various resulting ciphered data sets?

2. Should we add some random element (salt) to the password and derive
a new key again every time we cipher data? This way it would be harder
(impossible?) to deduce the password from the set of ciphered data.

Of course, when using a cryptographic hardware module, option 2 might
be more time consuming (one has to derive the key every time before
ciphering data) which is why it might be important to forget about the
random salt part and just use the same key again and again.
Any help will be appreciated. (Answers can be sent to my mail adress
as well.)

Machiel
Joseph Ashwood
2005-05-15 18:03:04 UTC
Permalink
Post by machiel
If one derives a key from a password (among other elements) what is
accepted cryptographic procedure in terms of security?
1. Can we re-use this key more than once for ciphering data without
the risk of extraction/deduction of the password by comparing the
various resulting ciphered data sets?
2. Should we add some random element (salt) to the password and derive
a new key again every time we cipher data? This way it would be harder
(impossible?) to deduce the password from the set of ciphered data.
There are a huge number of answers depending on your meaning of "accepted."
The only generally accepted way I know of is to use hardware to protect a
certificate and use TLS with client-auth, but even then you have potential
for it to be unacceptable based on evidence like "SSL Considered Harmful"
(http://iang.org/ssl/). As far as something that is probably reasonably
acceptable under a wide range of potentially viable situations, I'd suggest
using a passphrase (password = bad, passphrase = not as bad) to encrypt a
private key stored on the local system, then use the public key pair to
perform the key derivation. This may however not suit your needs, but I'm
quite certain that there are any number of people here (myself included)
that can come up with several dozen good alternatives each and every hour
for the next week to suit any situation.
Joe
t***@sci.crypt.research
2005-06-28 06:24:25 UTC
Permalink
Post by Joseph Ashwood
Post by machiel
If one derives a key from a password (among other elements) what is
accepted cryptographic procedure in terms of security?
1. Can we re-use this key more than once for ciphering data without
the risk of extraction/deduction of the password by comparing the
various resulting ciphered data sets?
2. Should we add some random element (salt) to the password and derive
a new key again every time we cipher data? This way it would be harder
(impossible?) to deduce the password from the set of ciphered data.
There are a huge number of answers depending on your meaning of "accepted."
The only generally accepted way I know of is to use hardware to protect a
certificate and use TLS with client-auth, but even then you have potential
for it to be unacceptable based on evidence like "SSL Considered Harmful"
(http://iang.org/ssl/). As far as something that is probably reasonably
acceptable under a wide range of potentially viable situations, I'd suggest
using a passphrase (password = bad, passphrase = not as bad) to encrypt a
private key stored on the local system, then use the public key pair to
perform the key derivation. This may however not suit your needs, but I'm
quite certain that there are any number of people here (myself included)
that can come up with several dozen good alternatives each and every hour
for the next week to suit any situation.
Joe
Let's do the math, "several dozen good alternatives
each and every hour for the next week" is 3 * 12 * 24 * 7
which is equal to 6048.

Please start posting these 6000 alternatives, or admit that
you have a tendency toward exaggeration. Thanks.

On a related note, has anybody noticed that the moderator
of this newsgroup frequently deletes valid articles?

John E. Hadstate
2005-05-26 13:54:58 UTC
Permalink
Post by machiel
If one derives a key from a password (among other
elements) what is
accepted cryptographic procedure in terms of security?
PKCS#5 (Version 2) represents a de facto standard for
Password-Based Encryption (PBE). For another method that
has not been vetted by "experts" but which seems
self-evidently secure, consider this approach:

http://bellsouthpwp.net/j/h/jhadstat/PBE/pbe.html
Post by machiel
1. Can we re-use this key more than once for ciphering
data without
the risk of extraction/deduction of the password by
comparing the
various resulting ciphered data sets?
Yes, because the actual key is derived from a complex
function of the password and a random number that changes
with each message.
Post by machiel
2. Should we add some random element (salt) to the
password and derive
a new key again every time we cipher data? This way it
would be harder
(impossible?) to deduce the password from the set of
ciphered data.
Yes.
Post by machiel
Of course, when using a cryptographic hardware module,
option 2 might
be more time consuming (one has to derive the key every
time before
ciphering data) which is why it might be important to
forget about the
random salt part and just use the same key again and
again.
Any help will be appreciated. (Answers can be sent to my
mail address
as well.)
Machiel
Loading...