Re: [Cfrg] AES-based PRF - comment please

[John Viega <viega@securesoftware.com>]

This has become somewhat a popular topic, particularly since Peter 
Gutmann's "Crypto Gardening Guide".  In that, Peter argued for more 
versatile PRFs that could be adapted to a wide variety of situations.  
He talked about things like iteration counts, etc.

I'd actually like to know why PKCS #5's PBKDF2 isn't sufficient for 
Peter's needs, because I have found it useful for all of mine.  It's 
also very easy to adapt to use with AES.

The standard implementation for PBKDF2 that I've seen uses HMAC-SHA1 
internally.  One can replace that with OMAC, with one issue.  The way 
HMAC-SHA1 is used relies on the fact that it can accept arbitrary sized 
keys, whereas OMAC requires a fixed sized keys.  The easiest way to 
handle that problem is by using a hash function based on a block cipher 
like Davies-Meyer, but, IIRC, the proof for those constructions are in 
the ideal cipher model.

I think you could probably avoid the hash-from-cipher construction by 
keying with the first keylen bytes, and then take the rest (if any), 
and prepend "len(key) || key leftovers" to the MAC input.  But, I 
haven't given it much thought, and there may be something disastrously 
wrong with that.

I've got code lying around implementing PBKDF2 with Davis-Meyer and 
OMAC that I'd be happy to share for anyone who's interested.

John

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg