Re: Is this a secure key derivation function?
- From: "Joseph Ashwood" <ashwood@xxxxxxx>
- Date: Tue, 16 Mar 2010 15:14:57 -0700
"Carsten Krueger" <cakruege@xxxxxxxxx> wrote in message news:8o3p72rzl04e$.dlg@xxxxxxxxxxxxxxxxxxxxxx
Complete source can be found:
Is this a secure key derivation function?
No it isn't. It has a race condition on Result. It does not check that InData is properly initialized (it is actually non-deterministic, making it unusable). It has major endian issues (not a problem with a homogenous environment, but it isn't portable). The salt value is not always used leading to insecurities. With that said, it appears what this mess is trying to do is
Key = Whirlpool(Pwd | Pwd| ... | Pwd | SaltLo | SaltHi)
Which could be secure depending on outside variables. Regardless it is poorly written.