13

I am still not very clear on how AES-256-CBC can use SHA-512 bit keys, but I assume that it just truncates the 512bit hash down to 256bit. In software like GnuPG and OpenPGP, is there any real benefit using a SHA-512 key over a SHA-256 key with the AES-256-CBC block cipher?

Community
  • 1
user4191887
  • 241
  • 1
  • 2
  • 5

1 Answers1

14

SHA-512 has both a larger internal state and a higher number of rounds than SHA-256 - which means that it provides a higher bit strength. Somewhat surprisingly it may also outperform SHA-256, as it uses 64 bit word size, which works best on 64 bit processors. You can see a good comparison table on Wikipedia

If less bits are required from SHA-512 then they are generally just taken from the left of the output (it doesn't matter which bits are used, this is just convention). There are also specialized constructs such as SHA-512/256 that use different initial values. This should be used in case the leakage of a partial hash is a problem within the specific protocol.

That said there are no attacks on SHA-256 that come close to breaking that particular algorithm, so it can still be used with some kind of confidence.

There is no such thing as a SHA-256 or SHA-512 key. SHA-2 may be used to derive keys though, for instance using HKDF. For key derivation it is best to use the hash as part of a HMAC function to create a PRF.

As deviantfan commented, CBC requires an IV. The additional output of the SHA-512 function could be used to deliver those additional 128 bits.

For GPG specifically, RFC 4880: OpenPGP Message Format specifies in section 3.7.1.1: Simple S2K:

If the hash size is greater than the session key size, the high-order (leftmost) octets of the hash are used as the key.

This is also the method used for Salted S2K and Iterated and Salted S2K as those expand the Simple S2K function.

Note that there is a specialized SHA-512 version called SHA-512/256 standardized by NIST, which let you use a version of SHA-512 with reduced output. It uses different constants which could fend of some attacks as the start of a hash may tell an attacker something about the full hash. Obviously it therefore produces different output than (the leftmost bytes of) SHA-512. SHA-512/256 should be used instead of SHA-512 in new protocols if your target platforms support it.

Community
  • 1
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323