Aleksey Cherepanov

2016-04-05 06:09:54 UTC

Permalink

In pbkdf2_hmac_sha512_valid() in src/pbkdf2_hmac_common.c:Raw Message

len = strlen(ptr); // binary length

if (len < PBKDF2_SHA512_BINARY_SIZE || len > PBKDF2_SHA512_MAX_BINARY_SIZE || len & 1)

goto error;

if (!ishex(ptr))

goto error;

The first question: len is the length of hexed binary, so the given

hash should not be shorter than half of full hash according to the

code, is it ok?

There is the following loop in pbkdf2_hmac_sha512_binary():

for (i = 0; i < PBKDF2_SHA512_BINARY_SIZE && *p; i++) {

out[i] =

(atoi16[ARCH_INDEX(*p)] << 4) |

atoi16[ARCH_INDEX(p[1])];

p += 2;

}

So having half of hash, we would read after the end. But

pbkdf2_hmac_sha512_cmp_exact() has a check for that.

The second question: pbkdf2's derived key is constructed independent

digests and we may just check our result against first/any, so longer

derived keys does not improve security: they slowdown defensive

implementation, but they do not slowdown attacker, because attacker

needs to compute only 1 digest. So are there real hashes longer than 1

digest size?

Thanks!

--

Regards,

Aleksey Cherepanov

Regards,

Aleksey Cherepanov