Session Key Questions

David Shaw dshaw at jabberwocky.com
Tue Oct 21 19:32:35 CEST 2008


On Tue, Oct 21, 2008 at 11:04:21AM -0500, Kevin Hilton wrote:
> >RFC-4880, section 3.7.1.1:
> 
> >   If the hash size is less than the key size, multiple instances of
> >   the hash context are created -- enough to produce the required key
> >   data.  These instances are preloaded with 0, 1, 2, ... octets of
> >   zeros (that is to say, the first instance has no preloading, the
> >   second gets preloaded with 1 octet of zero, the third is preloaded
> >   with two octets of zeros, and so forth).
> 
> >In other words, there are multiple hash contexts run, each responsible
> >for a different part of of the key (0-159 & 159-255 in your SHA1 and
> >AES256 example).
> 
> Sorry about my last reply, went I sent my question, David had not
> responded as of yet.
> 
> Ok, so just to clarify, say I have a 160bit hash product (produced
> from a salted password) Using the SHA1 hash.  In my theoretical
> example, AES256 requires a 256 bit key. To construct this key
> 
> Bits
> #1 0-159 = the salted hashed password (with 0 octects added)
> #2 159-255 = the leftmost 80 bits of the salted preloaded password
> with 1 octet zeros and then hased.
> 
> To produce the full 256 bits, the results of operation 1 and operation
> 2 are combined -- meaning result #1 is shifted 80 bits and then #2 is
> added to #1?

No.  With SHA1 and AES256, you set up two SHA1 contexts.  The first
one (the one that will become 0-159) is left alone.  The second one
(the one that will become 160-255) gets a zero pushed in.  Now, take
the passphrase, add 8 bytes of random salt to the front of it.  Take
that blob and feed it to each hash context over and over until you
reach the defined byte count (65536 by default).

Section 3.7.1.3 of RFC-4880 gives the exact details.

> Randomly generated session keys -- once produced are these salted and
> hashed similiar to passwords?  Or is the generated session key the
> required length for the chosen cipher?

No.  They're just random.  There is no point in salting and hashing
already-random data.  That is just for turning a passphrase into a
key.

> When passwords are salted -- how long is the salt?  Is this appended
> or prepended to the chosen password?

8 bytes, prepended.

David



More information about the Gnupg-users mailing list