[prev in list] [next in list] [prev in thread] [next in thread] 

List:       john-dev
Subject:    [john-dev] questions about pbkdf2's binary/ciphertext size
From:       Aleksey Cherepanov <lyosha () openwall ! com>
Date:       2016-04-05 6:09:54
Message-ID: 20160405060954.GA12460 () openwall ! com
[Download RAW message or body]

In pbkdf2_hmac_sha512_valid() in src/pbkdf2_hmac_common.c:

	len = strlen(ptr); // binary length
	if (len < PBKDF2_SHA512_BINARY_SIZE || len > PBKDF2_SHA512_MAX_BINARY_SIZE || len & 1)
		goto error;
	if (!ishex(ptr))
		goto error;

The first question: len is the length of hexed binary, so the given
hash should not be shorter than half of full hash according to the
code, is it ok?

There is the following loop in pbkdf2_hmac_sha512_binary():
	for (i = 0; i < PBKDF2_SHA512_BINARY_SIZE && *p; i++) {
		out[i] =
			(atoi16[ARCH_INDEX(*p)] << 4) |
			atoi16[ARCH_INDEX(p[1])];
		p += 2;
	}

So having half of hash, we would read after the end. But
pbkdf2_hmac_sha512_cmp_exact() has a check for that.


The second question: pbkdf2's derived key is constructed independent
digests and we may just check our result against first/any, so longer
derived keys does not improve security: they slowdown defensive
implementation, but they do not slowdown attacker, because attacker
needs to compute only 1 digest. So are there real hashes longer than 1
digest size?

Thanks!

-- 
Regards,
Aleksey Cherepanov
[prev in list] [next in list] [prev in thread] [next in thread]