questions about pbkdf2's binary/ciphertext size
(too old to reply)
Aleksey Cherepanov
2016-04-05 06:09:54 UTC
In pbkdf2_hmac_sha512_valid() in src/pbkdf2_hmac_common.c:

len = strlen(ptr); // binary length
if (len < PBKDF2_SHA512_BINARY_SIZE || len > PBKDF2_SHA512_MAX_BINARY_SIZE || len & 1)
goto error;
if (!ishex(ptr))
goto error;

The first question: len is the length of hexed binary, so the given
hash should not be shorter than half of full hash according to the
code, is it ok?

There is the following loop in pbkdf2_hmac_sha512_binary():
for (i = 0; i < PBKDF2_SHA512_BINARY_SIZE && *p; i++) {
out[i] =
(atoi16[ARCH_INDEX(*p)] << 4) |
p += 2;

So having half of hash, we would read after the end. But
pbkdf2_hmac_sha512_cmp_exact() has a check for that.

The second question: pbkdf2's derived key is constructed independent
digests and we may just check our result against first/any, so longer
derived keys does not improve security: they slowdown defensive
implementation, but they do not slowdown attacker, because attacker
needs to compute only 1 digest. So are there real hashes longer than 1
digest size?

Aleksey Cherepanov