Hacker News new | ask | show | jobs
by dlitz 4706 days ago
As an aside, you can use PBKDF2 with an iteration count of 1 to extend the output of a hash function to arbitrary lengths:

    output = HMAC-SHA256("passphrase", "salt" + x"00000001")
           + HMAC-SHA256("passphrase", "salt" + x"00000002")
          ...
This is useful when you want to derive keys from a (strong) master secret, but if you don't trust the underlying algorithm, all bets are off.
1 comments
mistercow 4706 days ago
Hmm. That seems like it's still susceptible to the weakness sdevlin mentioned. For c = 1, it is the same thing that I suggested initially, and for larger c, it merely makes the hash more expensive to compute by iterating it, but the concatenation weakness would still hold, wouldn't it? It seems to me that this is perhaps useful for generating keys from passphrases, but not for lengthening a hash used to store a password in a database.
link
dlitz 4706 days ago
Yes, I think so. IIUC, with this construction, the difficulty only increases linearly with the length of the output, rather than exponentially, as one might expect.

I don't think there's a generically secure way to extend short hash functions to get an exponential difficulty increase. Otherwise, we could just construct arbitrary-length hash functions using small (e.g. 32-bit) building blocks without needing to cryptanalyze the result.

But then again, I haven't been paying attention to the literature lately.

link