3

When doing password-based encryption, is it OK to create one instance of PBKDF2 from the password, and then use it to create both the AES key and the MAC key? (Or should a new instance of PBKDF2 be created using a different salt or iteration count, for each?)

This answer seems to say this isn't a good idea. While this one seems to say it is. Am I misunderstanding one of them? (Or both.)

(And by the way, the first is marked as a duplicate of a question which deals with an initially strong key, while it itself deals with a simple passphrase.)

Community
  • 1
ispiro
  • 2,085
  • 2
  • 18
  • 29

1 Answers1

3

From a security point of view, deriving lots of key material using PBKDF2 is ok.

From a practical point of view, deriving lots of key material using PBKDF2 is inefficient (in the sense that to generate $n$ blocks and increase the adversary's work by $t$, you do work $nt$, instead of $n+t$).

A more practical solution uses PBKDF2 to generate a short string and a suitable generator (probably HMAC-based) to produce lots of key material. Typically: $$k_0 \leftarrow PBKDF2(pw, \dots)$$ $$\text{key material} \leftarrow HMAC(k_0, 1) || HMAC(k_0, 2) || HMAC(k_0, 3) || ...$$

K.G.
  • 4,947
  • 19
  • 34