1

Hypothetical. Lets say you have an application where you generate a master key from a user password using PBKDF2 (static salt) and then use the master key to derive two passwords keys for an encrypt-then-mac scheme using HKDF (unique salt per encryption).

The password would be shared by two individuals, who would then potentially share many messages. Each message would share the same master key, but would have unique encryption and MAC keys. Does this make sense, or is the unique salts in HKDF unnecessary?

Chris_F
  • 207
  • 1
  • 8

2 Answers2

4

Yes, the salt in the HKDF can provide for key separation between the encrypt-then-mac applications. If that's needed depends on the system, maybe using an IV/nonce is enough, it depends on how many messages you want to encrypt and the used encryption and MAC scheme basically.

Some other remarks:

  • we derive keys - not passwords - for ciphers and MAC algorithms;
  • using an authenticated cipher such as GCM mode instead of encrypt-then-mac would be wise, in that case you only need to derive one key;
  • you'd use a static salt with PBKDF2 to derive the same master key, it's probably best to only use a static salt if you need to reuse the key (which of course assumes that you also use the same password);
  • you may want to additionally use a separate KDF invocation to derive a "key check value" stored with the ciphertext to check that you've derived the correct master key (instead of having to rely on authentication tag failures).
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
0

Depending on the application, this may allow parallel attacks on multiple encrypted items.

To illustrate the problem, suppose I (the attacker) have a thousand encrypted files, each encrypted with a different user password, all of which used the same salt for PBKDF2 (but different ones for the HKDF stage). I can run a parallel attack like this:

Generate a list of password guesses. For each one:
    Compute key1 = PBKDF2(password guess, static salt)
    For each encrypted file:
        Compute key2 = HKDF(key1, file's salt)
        Test key2 (e.g. by checking the MAC)

The PBKDF2 step is slow, but I only have to do it once per password; once I've done that for a possible password, I can rapidly check it against all thousand files (since HKDF is fast). This gives me nearly a factor of a thousand speedup in my attack vs. what I'd have to do if each file used a different salt for PBKDF2.

(Actually, checking the MAC might be slow if the files are big. But still...)

Gordon Davisson
  • 648
  • 1
  • 4
  • 11