Re: AES as hash function and PRNG
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: AES as hash function and PRNG

From: Sam Trenholme <sam+dhojsof@chaosring.org>
Date: Mon Jun 13 2005 - 10:19:13 CEST



> For encryption I decided to use AES-128.



> In my application there will be 6 to no more than 16 bytes to hash


> at once. And they have to remain secret.



OK, if you don't need more than 16 bytes hashed, just do the following:



* Make the 16 secret bytes the key for the AES encryption


* If you have less than 16 bytes to hash, just pad the key with ASCII


  nulls


* Choose any input as the plaintext to run through AES.  Something


  with a random pattern (binary representations of pi are popular)


  will speed up AES' diffusion a wee bit, but all NULLS is fine.


* The resulting ciphertext is your hash


* Make sure you only hash up to 16 bytes this way.  If you want to


  hash more bytes, use a 128-bit variant of, say, Bram Cohen's


  AES-hash.



This will generate 16 random bytes; as long as the key is unknown, we


don't know how we got the bytes.



Now, if you only hash six bytes, and someone knows the IV (the


plaintext), then it is possible for an attacker to guess the six bytes


being hashed via brute force.  If this is not desirable, make the IV


secret; this results in what is known as a MAC (message authentication


code).



> To generate session keys, I need random numbers. Because there is no


> true random source, I have to use a PRNG. This PRNG (if it is one)


> is invoked only once for every key generation. At the moment I'm


> thinking about the following way:



I will assume you can somehow get 16 measly truly random bytes.  If


not, the system is insecure, and people will break the bank when


playing Keno with your implementation.  I don't know enough about your


hardware to know how to squeeze 16 random bytes out of it, so I'll


gloss over this step.  (Timing how fast people type is one way to get


good random numbers)



Once you have these 16 random bytes, make them the key for the AES


cipher, then run the cipher in either CTR (counter) or OFB mode to


generate secure pseudo-random bytes.



http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation



or, in German:



http://de.wikipedia.org/wiki/Cipher_Block_Chaining_Mode



And, oh, convince your boss to buy you a book.  "Applied Crpytography"


by Bruce Schneier is an excellent, albeit slightly dated, book.  While


it was written before AES came out (I wonder if Dr. Schneier will ever


update the book to discuss AES. Then again, he'd need to update it


again to discuss whatever hash replaces MD5 and SHA), the general


principles are the same.


Received on Thu Sep 29 21:43:27 2005