According to Wikipedia, ECIES requires a key derivation function. I already have an implementation of PBKDF2-HMAC-SHA256 in my library, so I could use this.
Is PBKDF2-HMAC-SHA256 (salted of course) sufficient as KDF? Or should I use another KDF?
Asked
Active
Viewed 568 times
3
-
You could use unsalted PBKDF2-HMAC-SHA256 with a single iteration. Personally I'd rather use HKDF or even a plain hash. – CodesInChaos May 24 '15 at 10:47
-
@CodesInChaos I would prefer KDF1 or KDF2 for the simple reason that you can claim you used an actual KDF. It's not much more than a hash anyway - creating & including a 4 byte counter is not *that* much work. Makes it easier to derive more keys later too. – Maarten Bodewes May 24 '15 at 12:07
1 Answers
2
Why would you do that? It's the Password-Based Key Derivation Function 2, and ECIES doesn't work with a password but with a DH shared secret, thus not suffering from the same issues that plague passwords (such as low entropy-density).
Not to say it wouldn't suffice, but if you need something a straight hash or HMAC doesn't provide, KDF1 and KDF2 are your friends.
Leon Timmermans
- 136
- 5
-
A HMAC has two input parameters and a statically sized output. You would need to use the secret as key and then keep the leftmost bits. The input may be anything, a counter, key identifier or even empty. – Maarten Bodewes May 24 '15 at 12:46
-