Re: verify symmetric cipher key?

On Mon, 5 Jul 2010 12:18:20 +0000 (UTC), Kristian Gjøsteen
<kristiag+news@xxxxxxxxxxxx> wrote:
If so, is there any way to do it using other/extra primitives?

I can't think of any. It seems impossible.

(Consider the following attack: the user has stored one data file
generated with his passphrase. I substitute my data file generated with a
random passphrase. How is the software to decide whether the user enters
the correct passphrase and the file has been tampered with, or the file
has not been tampered with and the user enters an incorrect passphrase?)

Do you have any concerns about the following construction?

(masterkey, pw_verifier) = PBKDF(passphrase, salt)

i.e. instead you deriving the key bits only derive say 64 bits more
and use them as a password verifier.

The password verification calculates (masterkey2, pw_verifier2) =
PBKDF(passphrase2, salt), and if pw_verifier != pw_verifier2, the
password is wrong (ignoring the 2^-64 chance of false negatives).