SHA512 vs HKDF key expansion

Question

I'm working on a secure file storage server. This server allows users to upload and download files based on a "seed". This "seed" is a 128-bit value.

From this 128-bit seed, we run SHA512 to derive a 256-bit key, 128-bit IV and 128-bit file identifier used to find the file on the server. The key and IV are then used to encrypt the file with AES in GCM mode. Only the file identifier is sent to the server at any point, encryption is done completely client side.

The only point at which I'm concerned here is the SHA512 of the 128-bit seed. Would there be any benefit to going to an HKDF based key expansion? It seems to be designed for this purpose, but considering we're able to achieve everything we need with a single invocation of SHA512 I'm unsure of the benefit. As far as I can tell, HKDF is still relying upon hash functions to randomly distribute entropy.

I understand there may be some theoretical benefit here, I'm just looking for details on how this benefit may work, what a theoretical attack might look like and if there's anything practical which could be used to exploit this today.

Answer 1

I'm not aware of any attacks on SHA-512 this way. I would create a small function to validate that the input size to SHA-512 is indeed identical to the seed size though, just in case. Even without that the function should be secure. Kind of related is my question about KDF1 and KDF2.

Note that implementation of HKDF-expand from a hash should be pretty easy, especially if a HMAC construction is already available. KDF1 or KDF2 would be even easier, it would probably be trickier to find test vectors for those KDF's though. So you might ask yourself why not to use HKDF-expand.

---

Generating a 256 bit key using a KDF over a 128 bit means that the security margin would remain at 128 bit. Basically it's fine as long as you don't claim a security margin of 256 bit. Just claiming AES-256 bit encryption would probably mean the same thing to most people.