Re: AES as hash function and PRNG
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: AES as hash function and PRNG

From: Mike Kaufmann <m.km@gmx.de>
Date: Wed Jun 15 2005 - 00:45:05 CEST



Hello,



Sam Trenholme wrote:



> * Make the 16 secret bytes the key for the AES encryption


> * If you have less than 16 bytes to hash, just pad the key with ASCII


>   nulls


> * Choose any input as the plaintext to run through AES.  Something


>   with a random pattern (binary representations of pi are popular)


>   will speed up AES' diffusion a wee bit, but all NULLS is fine.


> * The resulting ciphertext is your hash


> * Make sure you only hash up to 16 bytes this way.  If you want to


>   hash more bytes, use a 128-bit variant of, say, Bram Cohen's


>   AES-hash.


> 


> This will generate 16 random bytes; as long as the key is unknown, we


> don't know how we got the bytes.



Usiung the secret bytes as key sounds good. I think I'll do it this way.


Thank you.



> Now, if you only hash six bytes, and someone knows the IV (the


> plaintext), then it is possible for an attacker to guess the six bytes


> being hashed via brute force.  If this is not desirable, make the IV


> secret; this results in what is known as a MAC (message authentication


> code).



Well, I know. But a secret IV is not possible here.



> I will assume you can somehow get 16 measly truly random bytes.  If


> not, the system is insecure, and people will break the bank when


> playing Keno with your implementation.  I don't know enough about your


> hardware to know how to squeeze 16 random bytes out of it, so I'll


> gloss over this step.  (Timing how fast people type is one way to get


> good random numbers)



In the worst case I'll get only one random byte between generating two


session keys. That's the reason I wanted to use a secret (here ist is


possible) random IV. Would this be secure? (I think it would.)



> Once you have these 16 random bytes, make them the key for the AES


> cipher, then run the cipher in either CTR (counter) or OFB mode to


> generate secure pseudo-random bytes.


> 


> http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation



IMHO OFB mode would be the best choice for my purpose. I suppose,


I don't need a plaintext here. Am I right?



> And, oh, convince your boss to buy you a book.  "Applied Crpytography"


> by Bruce Schneier is an excellent, albeit slightly dated, book.



Done. I'll get it tomorrow.



Thanks again


Mike


Received on Thu Sep 29 21:43:52 2005