>PBKDF2 (HMAC iterated, with all of the iterates XORed together.) from
>RFC2898, PKCS #5: Password-Based Cryptography Specification Version 2.0.
>Use #4.
It's really all of them, since an iterated KDF is also a standard KDF when
iterations = 1.
Correct. You can replace password with any initial keying material but then you end keying the HMAC of PBKDF2 with this non-uniform keying material (say a 160-bit entropy 2040 DH value or a very non-uniform string of 2Kbyes). Is that good?
The mathematically correct way is to first apply the extractor to that key material and then use it as a key.
I people think it would be useful we could add to the draft a section on passwords, that will add a "slowing down" module to the KDF either between the extract and expansion or as a replacement of the extract, but only for the password case.
[....]
Security analyses? Do we do those?
Yes, we (sometimes) do!
(that is why we are having this discussion)
(The only ones I know of are for PBKDF2 and HKDF, although I haven't looked at
every available document on the PRFs. For most that I've seen it's just
security by executive fiat).
executive fiat is dead, long live formal analysis ;-)
Hugo
Peter.