On 04/04/2008, Stefan Schulze Frielinghaus <stefan (at) seekline (dot) net [email concealed]> wrote:
> Hello,
>
> often you find products which implement AES 256Bit encryption e.g. in
> hard drive encryption, file encryption or whatever. The user specifies a
> password/passphrase which is used for encryption.
>
> My actual question is what does the standard say to passwords which are
> not exactly 256 Bit long? Often user passwords are 8 characters long
> (which means an effective key size of 64 Bit). Or someone could have a
> key file which is 300 Bit long. But AES with 256 Bit support would only
> use 256 Bit of the 300 Bit. Or it has to calculate a 256 Bit key of the
> 64 Bit material specified from the user.
>
> How to calculate a key of size 256 Bit which is standard compliant. Is
> there even a library outside which does this for me (e.g. OpenSSL uses
> MD5 digests sometimes)?
>
> I just want to develop an application where a user can specify a
> password to encrypt something in AES 256 Bit. But the encryption library
> I use forces me to specify a key with the exact 256 Bit. So I have to
> calculate a key which is standard compliant.
>
> Does someone has an idea, hint?
Look up the s2k (string to key) routines in botan. These deal with taking a variable length password and do a couple of things - mainly various rounds of hashing I think - to turn it into a 256-bit value. (You may not have enough entropy in your password, but you can smear it out evenly across the 256 bits available.)
Botan: http://botan.randombit.net/ - see the API docs.
p.50 in my copy of the API docs: "There are various procedures (usually fairly ad-hoc) for turning a passphrase into a (mostly) arbitrary length key for a symmetric cipher. A general interface for such algorithms is presented in s2k.h. The main function is derive key, which takes a passphrase, and the desired length of the output key, and returns a key of that length, deterministically produced from the passphrase. If an algorithm can't produce a key of that size, it will throw an exception (most notably, PKCS #5's PBKDF1 can only produce strings between 1 and n bytes, where n is the output size of the underlying hash function)."
cheers,
--
www.systemstates.net - penetration test / IDS / incident response
> Hello,
>
> often you find products which implement AES 256Bit encryption e.g. in
> hard drive encryption, file encryption or whatever. The user specifies a
> password/passphrase which is used for encryption.
>
> My actual question is what does the standard say to passwords which are
> not exactly 256 Bit long? Often user passwords are 8 characters long
> (which means an effective key size of 64 Bit). Or someone could have a
> key file which is 300 Bit long. But AES with 256 Bit support would only
> use 256 Bit of the 300 Bit. Or it has to calculate a 256 Bit key of the
> 64 Bit material specified from the user.
>
> How to calculate a key of size 256 Bit which is standard compliant. Is
> there even a library outside which does this for me (e.g. OpenSSL uses
> MD5 digests sometimes)?
>
> I just want to develop an application where a user can specify a
> password to encrypt something in AES 256 Bit. But the encryption library
> I use forces me to specify a key with the exact 256 Bit. So I have to
> calculate a key which is standard compliant.
>
> Does someone has an idea, hint?
Look up the s2k (string to key) routines in botan. These deal with taking a variable length password and do a couple of things - mainly various rounds of hashing I think - to turn it into a 256-bit value. (You may not have enough entropy in your password, but you can smear it out evenly across the 256 bits available.)
Botan: http://botan.randombit.net/ - see the API docs.
p.50 in my copy of the API docs: "There are various procedures (usually fairly ad-hoc) for turning a passphrase into a (mostly) arbitrary length key for a symmetric cipher. A general interface for such algorithms is presented in s2k.h. The main function is derive key, which takes a passphrase, and the desired length of the output key, and returns a key of that length, deterministically produced from the passphrase. If an algorithm can't produce a key of that size, it will throw an exception (most notably, PKCS #5's PBKDF1 can only produce strings between 1 and n bytes, where n is the output size of the underlying hash function)."
cheers,
--
www.systemstates.net - penetration test / IDS / incident response
[ reply ]