Thanks for all the great replies. I guess I will have a closer look at
PKCS#5 and especially at PBKDF2. The book "Applied Cryptography" is
already ordered ;-)
The only fact I don't like is that if I use PBKDF2 and AES-256 to
encrypt an object and someone else codes a client which uses SHA-256 and
AES-256 he wouldn't be able to decrypt my object. I hoped to solve the
problem of interoperability while using a standard like AES but I didn't
include the problem of passwords in my model.
Nevertheless thanks for all the answers!
Best regards
Stefan
PS: Just in case someone misunderstood me, I won't code my own AES
implementation. I will use libraries like OpenSSL, GnuTLS ore whatever.
I'm not a cryptographer, I'm just a lazy programmer ;-)
On Mon, 2008-04-07 at 12:19 -0700, Roman H. wrote:
> Hi Stefan,
>
> It is a bad idea to directly use the bits from a password as an encryption
> key because there is insufficient entropy relative to the available key
> space (even with a so-called "strong" password). However, people still
> need to use passwords so there are some ways to generate a key from a
> password. Here's a little background on the subject:
>
> http://en.wikipedia.org/wiki/Key_derivation_function
> http://en.wikipedia.org/wiki/Key_strengthening
>
> Implementations of PKCS #5 are pretty popular for this. Here is the link
> to the standard, and some examples in Java, C#, and OpenSSL (there are
> many others, and take care when executing binaries that you download from
> random websites):
>
> http://www.rsa.com/rsalabs/node.asp?id=2127
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#
ManagingParameters
> http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/crypto/PBEPara
metersGenerator.html
> http://www.jensign.com/JavaScience/dotnet/DeriveKeyM/index.html
> http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
>
> For the curious, here's some interesting thoughts on PBKDF by a blogger:
> http://apocryph.org/how_much_strength_does_pkcs_5_passwordbased_key_deri
vation_pbkdf2_add_a_key
>
> Hope this helps,
>
> Roman Hustad
>
>
> --- Stefan Schulze Frielinghaus <stefan (at) seekline (dot) net [email concealed]> wrote:
>
> > Hello,
> >
> > often you find products which implement AES 256Bit encryption e.g. in
> > hard drive encryption, file encryption or whatever. The user specifies a
> > password/passphrase which is used for encryption.
> >
> > My actual question is what does the standard say to passwords which are
> > not exactly 256 Bit long? Often user passwords are 8 characters long
> > (which means an effective key size of 64 Bit). Or someone could have a
> > key file which is 300 Bit long. But AES with 256 Bit support would only
> > use 256 Bit of the 300 Bit. Or it has to calculate a 256 Bit key of the
> > 64 Bit material specified from the user.
> >
> > How to calculate a key of size 256 Bit which is standard compliant. Is
> > there even a library outside which does this for me (e.g. OpenSSL uses
> > MD5 digests sometimes)?
> >
> > I just want to develop an application where a user can specify a
> > password to encrypt something in AES 256 Bit. But the encryption library
> > I use forces me to specify a key with the exact 256 Bit. So I have to
> > calculate a key which is standard compliant.
> >
> > Does someone has an idea, hint?
> >
> > Best regards
> > Stefan
>
PKCS#5 and especially at PBKDF2. The book "Applied Cryptography" is
already ordered ;-)
The only fact I don't like is that if I use PBKDF2 and AES-256 to
encrypt an object and someone else codes a client which uses SHA-256 and
AES-256 he wouldn't be able to decrypt my object. I hoped to solve the
problem of interoperability while using a standard like AES but I didn't
include the problem of passwords in my model.
Nevertheless thanks for all the answers!
Best regards
Stefan
PS: Just in case someone misunderstood me, I won't code my own AES
implementation. I will use libraries like OpenSSL, GnuTLS ore whatever.
I'm not a cryptographer, I'm just a lazy programmer ;-)
On Mon, 2008-04-07 at 12:19 -0700, Roman H. wrote:
> Hi Stefan,
>
> It is a bad idea to directly use the bits from a password as an encryption
> key because there is insufficient entropy relative to the available key
> space (even with a so-called "strong" password). However, people still
> need to use passwords so there are some ways to generate a key from a
> password. Here's a little background on the subject:
>
> http://en.wikipedia.org/wiki/Key_derivation_function
> http://en.wikipedia.org/wiki/Key_strengthening
>
> Implementations of PKCS #5 are pretty popular for this. Here is the link
> to the standard, and some examples in Java, C#, and OpenSSL (there are
> many others, and take care when executing binaries that you download from
> random websites):
>
> http://www.rsa.com/rsalabs/node.asp?id=2127
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#
ManagingParameters
> http://www.bouncycastle.org/docs/docs1.5/org/bouncycastle/crypto/PBEPara
metersGenerator.html
> http://www.jensign.com/JavaScience/dotnet/DeriveKeyM/index.html
> http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
>
> For the curious, here's some interesting thoughts on PBKDF by a blogger:
> http://apocryph.org/how_much_strength_does_pkcs_5_passwordbased_key_deri
vation_pbkdf2_add_a_key
>
> Hope this helps,
>
> Roman Hustad
>
>
> --- Stefan Schulze Frielinghaus <stefan (at) seekline (dot) net [email concealed]> wrote:
>
> > Hello,
> >
> > often you find products which implement AES 256Bit encryption e.g. in
> > hard drive encryption, file encryption or whatever. The user specifies a
> > password/passphrase which is used for encryption.
> >
> > My actual question is what does the standard say to passwords which are
> > not exactly 256 Bit long? Often user passwords are 8 characters long
> > (which means an effective key size of 64 Bit). Or someone could have a
> > key file which is 300 Bit long. But AES with 256 Bit support would only
> > use 256 Bit of the 300 Bit. Or it has to calculate a 256 Bit key of the
> > 64 Bit material specified from the user.
> >
> > How to calculate a key of size 256 Bit which is standard compliant. Is
> > there even a library outside which does this for me (e.g. OpenSSL uses
> > MD5 digests sometimes)?
> >
> > I just want to develop an application where a user can specify a
> > password to encrypt something in AES 256 Bit. But the encryption library
> > I use forces me to specify a key with the exact 256 Bit. So I have to
> > calculate a key which is standard compliant.
> >
> > Does someone has an idea, hint?
> >
> > Best regards
> > Stefan
>
[ reply ]