W3C home > Mailing lists > Public > public-xmlsec@w3.org > October 2011

RE: In XML encryption 1.1, the PBKDF2-params/KeyLength is superfluous

From: Magnus Nystrom <mnystrom@microsoft.com>
Date: Mon, 17 Oct 2011 17:03:24 +0000
To: Pratik Datta <pratik.datta@oracle.com>, "XMLSec WG Public List (public-xmlsec@w3.org)" <public-xmlsec@w3.org>
Message-ID: <D744D68428430B4F9C81DE8A4D5950681219C20E@TK5EX14MBXW602.wingroup.windeploy.ntdev.microsoft.com>
True. Perhaps we should instead add the KeyDatalen to ConcatKDF (at least as an optional?)?

I am a little wary at doing any changes to the schema at this late point though given that what we have apparently works - but I can see the inconsistency. I'd rather not change the PBKDF2 schema though since we currently have alignment with the schema for PKCS #5 - the same elements & attributes.

-- Magnus


> -----Original Message-----
> From: Pratik Datta [mailto:pratik.datta@oracle.com]
> Sent: Monday, October 17, 2011 9:25 AM
> To: Magnus Nystrom; XMLSec WG Public List (public-xmlsec@w3.org)
> Subject: RE: In XML encryption 1.1, the PBKDF2-params/KeyLength is
> superfluous
> 
> Even for ConcatKDF, "keydatalen" is a required input to the algorithm.
> But we don't have that as a parameter for ConcatKDF. It needs to be inferred.
> 
> Pratik
> 
> -----Original Message-----
> From: Magnus Nystrom [mailto:mnystrom@microsoft.com]
> Sent: Monday, October 17, 2011 8:57 AM
> To: XMLSec WG Public List (public-xmlsec@w3.org)
> Subject: RE: In XML encryption 1.1, the PBKDF2-params/KeyLength is
> superfluous
> 
> Pratik wrote:
> 
> > Can we remove the  KeyLength parameter in  PBKDF2 ?
> > In the other two key derivation functions - ConcatKDF and
> > LegacyKeyDerivation, the length of the key to be derived is not specified ,
> rather it needs to be inferred from the context.  We should have PBKDF2  also
> behave similarly.
> 
> I don't see how one could do this as the KeyLength is an integral part of the
> PBKDF2 algorithm. For example, it is used to determine how many blocks of
> hash output that is required. I'd recommend not trying to change this at this
> point.
> 
> -- Magnus
> 
> 
Received on Monday, 17 October 2011 17:04:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 17 October 2011 17:04:04 GMT