2

I'm currently implementing, with crypto++, and AES tranmsission system, whose key is based on a previous MasterSecret of 256 bits (which has been expanded using PBKDF2).

This MasterSecret is then split into a key and an iv, to encrypt a message using AES-GCM.

I must work with AES-256, so my key must be 256-bit long. The iv for GCM is always 128-bit long.

So, briefly, I must extract from a 256-bit MasterSecret a 256-bit key and a 128-bit IV.

How to do it ?

I thought of taking the MasterSecret as the key, and then hashing the key to get then the iv of the desired length.

Is there a more efficient/elegant way to obtain 384 bits from a 256 bit MasterSecret ?

otus
  • 32,462
  • 5
  • 75
  • 167
3isenHeim
  • 200
  • 10

1 Answers1

3

You don't actually need 384 bits of key material. The IV for GCM does not need to be secret, and may be chosen deterministically, e.g. as an incremental counter. Thus, you only need 256 bits for the AES key, which you already have.

That said, if you did actually need more key material, you could use any standard KDF to expand your 256 bits. Since you presumably already have a 256-bit hash function available (for PBKDF2), I'd personally suggest using HKDF-Expand. Since your master secret is already a pseudorandom bit string, you may safely skip the Extract part of HKDF; see ยง3.3 of the RFC.

(You could also request more bytes directly from PBKDF2, but this is rather needlessly inefficient. If you need more than one hash block of output from PBKDF2, it's better to combine it with a key-based KDF such as HKDF. Technically, you could also use a second PBKDF2 pass with an iteration count of 1 instead of HKDF, but this feels a bit "untidy", as PBKDF2 was not really designed to be used like this.)

Community
  • 1
Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189