Re: my KDF vs dictionary attacks



Antony Clements wrote:
"Bryan Olson" wrote:
David Eather wrote:
To anyone else: Seriously I want some feedback, was what I posted to difficult / confused / obscure etc. to be useful? Yes my email address if you prefer.

Giving a specific answer to a gibbering question is tricky business.
When the OP wrote, "the salt has 1 requirement, it must encrypt into a 32 character string, no more and no less, this means that the salt has a minimum of 5 digits and a maximum of 20 digits," did you understand what
he meant? I sure didn't.

some encryption systems will give a larger output if the input is larger than a certain criteria, for example, twofish will encrypt a 5 character string into a 32 character output string,

Twofish encrypts a 16-byte plaintext block to produce 16-byte ciphertext block (16 'octets' for the formalists, or 128 bits). Various modes of operation apply Twofish to other sizes. What that has to do with your salt issue is unclear.

and it will do this as long as the input string is no more than 20 characters, it's not rocket science to figure out that different size inputs to a given algorithm will give different sized outputs

What a mess.

I have even taken the salting out of the users hands by generating a random value which is encrypted with twofish and appended to the end of the ciphertext for the program to use in decryption... this is why the output string of the encrypted salt needs to be a set size

The encrypted salt is used in decryption how? Under what key was in encrypted? Are there other keys involved that you forgot to specify?

Try defining your KDF clearly. A KDF takes secret data, non-secret data which includes a length parameter, and produces a key of the given length.


--
--Bryan
.