Re: Is this a secure key derivation function?



"Carsten Krueger" <cakruege@xxxxxxxxx> wrote in message news:8o3p72rzl04e$.dlg@xxxxxxxxxxxxxxxxxxxxxx
Complete source can be found:
http://www.withopf.com/tools/securstick/encrsrc.zip

Is this a secure key derivation function?

No it isn't. It has a race condition on Result. It does not check that InData is properly initialized (it is actually non-deterministic, making it unusable). It has major endian issues (not a problem with a homogenous environment, but it isn't portable). The salt value is not always used leading to insecurities. With that said, it appears what this mess is trying to do is

Key = Whirlpool(Pwd | Pwd| ... | Pwd | SaltLo | SaltHi)

Which could be secure depending on outside variables. Regardless it is poorly written.
Joe

.