[Monotone-devel] Re: bug: monotone serve w/ long passphrase

[Lapo Luchini]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan Karpinski wrote:
> Monotone reports the following bug. Here's the short version:
> 
> monotone: fatal: std::exception: Botan: ARC4 cannot accept a key of 
> length 33

Passwords should really ALWAYS be passed through an hash before being
used as key material, in order to both:
1. allow arbitrary length
2. use the entropy dispersed in all the length (and thus, permitting
password tu ACTUALLY use the full 32 byte entropy potential, and not
only a fractino of that)
3. adding some more "dispersion" in the space of the keys used (i.e.
Hamming(prova,provb)=1, Hamming(SHA256(prova),SHA256)provb))=128)

According to Schneier the best "hash" to use would actually be SHAd256,
that is SHA256(SHA256(data)) (the "double" closure is eneded to remove,
with low cost, an ugly "problem" of iterative hashes, the "length
extension attack").

Even better would be to use the hash "salted & stretched" (again, using
Schener's terminology), that is:
salt = 32 byte from /dev/random
h0 = SHAd256(password, salt)
h1 = SHAd256(h0, salt)
(repeat N times, with N such as the whole computation needs 1 second on
a not-too-powerful PC)
h(N) = SHAd256(h(N-1), salt)
key = h(N)

Or, nowadays hash salting & stretching seems really to be being
superceded by multiple "AES Key Wrap".

- --
L a p o   L u c h i n i
l a p o @ l a p o . i t
w w w . l a p o . i t /
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iEYEARECAAYFAkM2Sz0ACgkQaJiCLMjyUvvA9wCgjOVfrctsL4HQBOcqNpD/ZbAP
7PcAn3w7Pkc7T4g6wDJiKq90tKhJEg6X
=OzTC
-----END PGP SIGNATURE-----