Re: verify symmetric cipher key?



On Mon, 5 Jul 2010 12:18:20 +0000 (UTC), Kristian Gjøsteen
<kristiag+news@xxxxxxxxxxxx> wrote:
If so, is there any way to do it using other/extra primitives?

I can't think of any. It seems impossible.

(Consider the following attack: the user has stored one data file
generated with his passphrase. I substitute my data file generated with a
random passphrase. How is the software to decide whether the user enters
the correct passphrase and the file has been tampered with, or the file
has not been tampered with and the user enters an incorrect passphrase?)

Do you have any concerns about the following construction?

(masterkey, pw_verifier) = PBKDF(passphrase, salt)

i.e. instead you deriving the key bits only derive say 64 bits more
and use them as a password verifier.

The password verification calculates (masterkey2, pw_verifier2) =
PBKDF(passphrase2, salt), and if pw_verifier != pw_verifier2, the
password is wrong (ignoring the 2^-64 chance of false negatives).

.



Relevant Pages

  • Re: verify symmetric cipher key?
    ... between the ciphertext having been altered (accidentally or ... to refresh his memory of the proper passphrase. ... the user has stored one data file ...
    (sci.crypt)
  • Re: verify symmetric cipher key?
    ... and use them as a password verifier. ... the user enters a passphrase. ... "no shared secret" means, "no way to distinguish 'wrong passphrase' ... So the problem is not the lack of a public key scheme - it's ...
    (sci.crypt)