1

I am a bit confused about key derivation functions. I am trying to use the argon2 KDF from the passlib python module to do the following:

  1. The user provides a password which I provide to the hash function combined with a salt (which is autogenerated by the function)
  2. I use the resulting hash as a master key to encrypt some other key(s) along with some data about some system, for example a set of files. The salt is also stored along this data (but not encrypted).

My confusion comes from the fact that the library only provides the hash results in the form of strings which may be used to identify if the user of some website typed in the correct password, for example the string

'$argon2i$v=19$m=512,t=2,p=2$aI2R0hpDyLm3ltLa+1/rvQ$LqPKjd6n8yniKtAithoR7A'

as shown in this example.

Can I use a KDF like argon2 for this purpose? Of course I would have to extract the key and the salt along with the settings from this string to make this work.

HerpDerpington
  • 245
  • 2
  • 7

1 Answers1

2

Can I use a KDF like argon2 for this purpose? Of course I would have to extract the key and the salt along with the settings from this string to make this work.

Yes, but preferably you would not use the part of the function that creates a string.

Basically a password hash and PBKDF (password based key derivation function) are identical functions. The string that is put out is not part of a description of a PBKDF though, it is the output that is generated if it is used as a password hash (and then only for a specific format).

It is a bit annoying if the string is the only possible output, because the last part of the string is the password hash in base 64 (it's the "digest" in the this description). Now strings are pretty hard to delete from memory in most runtime environments, so you cannot easily clean up after decoding the derived key.

Preferably then you'd find or isolate the PBKDF function itself and use the resulting byte array before it is encoded. Or you could of course use another library that provides this functionality.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323