1

SHA-256 generates a 32-byte hash, Is it a safe practice to use the first 16 as an iv (nonce) and the second 16 as a key ?
What other things I should consider when using PBKDF2 in a scenario like this ?

Mohamed Waleed
  • 1,169
  • 1
  • 5
  • 13

1 Answers1

1

Yes, you can use part of the output of the PBKDF2 function as the encryption key, and part of the output as the IV. This is exactly how openssl enc does it.

PBKDF2 accepts a parameter for the number of bits in the output. If you are using 128-bit AES, then you can set PBKDF2 to generate a 256-bit output and use 128 bits for the key and 128 bits for the IV. If you are using 256-bit AES, then you can set PBKDF2 to generate a 384-bit output and use 256 bits for the key, and 128 bits for the IV.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • that was a mistake... I meant 32-byte not bit – Mohamed Waleed Jul 27 '21 at 21:03
  • I know that I can specify the number of output bytes. It is a bad practice when the output size is larger than the hash alg output size. What about if the output size is smaller than the hash alg output size ? Isn't it the best to use the whole output result ? – Mohamed Waleed Jul 27 '21 at 21:10
  • No, it's not bad practice if the PBKDF2 output is larger than the hash algorithm size. In that case, the PBKDF2 function just combines successive hash outputs to create a PBKDF2 output of the desired size. – mti2935 Jul 27 '21 at 21:28
  • mti2935 but this will cost me more performance while not costing the attacker anything, or am I not understanding correctly ? – Mohamed Waleed Jul 27 '21 at 21:33
  • Can you describe the attack scenario? – mti2935 Jul 27 '21 at 21:46
  • [check this answer](https://security.stackexchange.com/a/58450/260902), [check last paragraph in this answer](https://security.stackexchange.com/a/53917/260902) – Mohamed Waleed Jul 27 '21 at 22:01
  • Yes, if you use PBKDF2 to generate a 384-bit key from a *known* password using 10,000 rounds of SHA256, your CPU may actually be doing 20,000 rounds of SHA256. But, this is still nothing compared to the number of rounds of hashing that an attacker would need to do to crack an *unknown* password. – mti2935 Jul 27 '21 at 23:41
  • Yes the main problem of doing so is that the performance is doubled so it is considered bad. What I mean by not costing the attacker anything is that it won't be different for him If I used more than the native hash algorithm output size. – Mohamed Waleed Jul 28 '21 at 00:00
  • 1
    Yes, if this is a concern for you, then you might want to consider using a newer key derivation function. – mti2935 Jul 28 '21 at 00:39