Best practice for password-protecting a secret key

Question

What approaches are generally accepted for generating a password-protected symmetric key?

My intuition is to generate and store a random string of appropriate length as the password-protected key, then HMAC it with a PBKDF2ed password to get the actual symmetric key. With this approach, is the PBKDF2 step necessary or superfluous? Is there a better approach (e.g., XORing the generated key bits with the PBKDF2ed password key bits)?

Edit: I realized after making this post that it makes more sense to do HMAC(key, password) than HMAC(PBKDF2(password), key).

Update: The answer is PBKDF2(SHA256, password, key, iterations).

score 6 · Accepted Answer · edited Mar 17 '17 at 13:14

PBKDF2 is designed exactly for the purpose you're thinking of: to make the time tradeoff for attacking a low entropy source comparable to that of attacking the resulting output as if it were a purely high entropy source.

In a contrived example, I might make my password using one of four numbers. The resulting key could be one of 32 numbers. To make them equally secure against brute forcing, it need to take as long to test one of the four keys as it would to test seven of the 32 keys (32 / 4 - 1 because the resulting 1/32 must also be tested). To protect against rainbow tables, adding a salt would also be helpful.

PBKDF2 accomplishes those above tasks of slowing the process and uses a salt. Unless you're running your output from it through something that has a comparatively slow operation process, then taking the output from PBKDF2 would be appropriate.

Other key strengthening designs such as bcrypt can also be an option. In any method you use, make sure that your output is at least as many bits as your key needs to be. You can hash to a smaller size, but never use hashing to get a longer key.

Thanks for the answer! However, in this case, I want to ensure there are two independent pieces of information required to allow decryption of the encrypted contents. That said, `HMAC(key, password)` should be an acceptable approach, no? — Stephen Touset, Sep 12 '12 at 03:22
Or, thinking further, would you simply use `PBKDF2('SHA256', password, key, iterations)`, where `key` is a secret key used as the salt? — Stephen Touset, Sep 12 '12 at 07:46

score 3 · Answer 2 · answered Sep 12 '12 at 16:26

There are two methods, either using PBKDF2 (RFC 2898) with your master password and a salt to generate the symmetric key (where the salt is the random string you reference), or you use the HMAC-based Extract-and-Expand Key Derivation Function from RFC 5869 to generate the symmetric key from your master password, a salt, and some key-specific information.

Note: HKDF is only appropriate if your master password has high entropy & length as it does not iterate like PBKDF2.

bcrypt & scrypt are other possibilites.

Yep, PBKDF2 with secret key as salt is what I realized when replying to the previous post. — Stephen Touset, Sep 12 '12 at 18:37

Best practice for password-protecting a secret key

2 Answers2