I have an encryption scheme that uses a 256-bit master key, from which 2 separat

Question

I have an encryption scheme that uses a 256-bit master key, from which 2 separate keys (one for AES-256-CTR encryption and one for a HMAC-SHA256) are derived using HKDF. However, I'm not sure exactly how to utilize HKDF without screwing it up, so straight to my concerns:

Is it safe to just use SHA-512 as the hashing algorithm to get a 512-bit output and split it in 2?

I know that using salt is not mandatory, but does using it actually improve security?

I know this might be a dumb idea, but still ... can the salt be the IV used for encryption?

Explanation / Answer

Yes. You can either use HKDF-expand twice with different info values, or once with a longer output length.

Depends. If your 256-bit master key is generated using a secure RNG, a salt is unnecessary. OTOH, if it's derived from something with less entropy, like a password, having unique salts would ensure uniqueness of derived keys even if the master keys happened to match for two users or sessions.

Probably not a good idea, but whether it's secure depends on how the IV is chosen.

HKDF assumes that the salt is not attacker-chosen. If an attacker can influence the IV, then that's a definite no. OTOH, if the IV known to be completely independent of the key, it should be secure, since CTR doesn't place any requirements on the IV beyond uniqueness.

Still, if you can just create another random number to use as a salt, it's simpler to do that. And if you can't be sure the salt isn't attacker-controlled, it's better to leave it out altogether.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.