0

This is a setup to produce a secret key for symmetrical encryption with TweetNaCl:

  1. K1 consists of 32 random bytes

  2. K2 consists of 32 random bytes

  3. KC is the concatenation of K1 and K2

  4. K consists of the first 32 bytes of the SHA-512 sum of KC

By "random" I mean "obtained from /dev/urandom".

Questions:

  1. Is it safe to use K as a secret key? ("safe" meaning "as safe as using 32 random bytes"; it is assumed that K1, K2 and K are kept secret)

  2. If an attacker gets his hands on K1 or K2 (but not on both), does he obtain any real advantage?

Rationale: keep K1 and K2 in separate media (e.g., K1 on paper and K2 on disk)

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Jorge Almeida
  • 3
  • 3

1 Answers1

2
  1. Is it safe to use K as a secret key? ("safe" meaning "as safe as using 32 random bytes"; it is assumed that K1, K2 and K are kept secret)

Although SHA-512 is not a KDF, and although it is required that the hash has properties that are not mandatory to be used as KDF, most people assume it is secure, yes.

  1. If an attacker gets his hands on K1 or K2 (but not on both), does he obtain any real advantage?

No, the attacker shouldn't gain advantage that way.

Kind of related is the security of KDF1 and KDF2. Hash should be considered a poor mans KDF. For a better KDF, use HKDF or just HKDF-expand.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323