I have a unique identifiers that I would like to keep secure and provide information about it through tokens. These tokens should be verifiable after using the same algorithm on other end system with presented ID and comparing these values.
I am thinking to use PBKDF2 as a one-way function to get such tokens from IDs. But to be verifiable I should use the same SALT everywhere.
Are there any security issues related to use the same SALT in PBKDF2 for all IDs?
Are there any security issues related to use the same SALT in PBKDF2 for all IDs?
Yes, you can build a rainbow table or brute force the ID's.
An attacker could build up a table with tokens. Once the table exists the attacker can try all possible ID's until one of them matches. That way the function is reversible and your requirement to keep the ID secure has faltered.
Of course if the ID has enough entropy then the brute force attack will be impossible. But in that case you would not need the PBKDF2 function in the first place.
I don't see why you could not store a salt with a specific token by the way. Generally tokens are short lived.
Disclaimer: this is just a direct answer to the question, not a protocol analysis.
