In general, keys for password-based key derivation are derived from a password hash such as the old PBKDF2 function or Argon2, possibly followed by another derivation function to derive data and authentication keys: $$K_{master} = \text{PBKDF}(pass, salt, factors, length, \ldots)$$.
A possible disadvantage is that it is impossible to update the factors, salt size or password without generating a different $K_{master}$.
Would the following simple way around this be secure?
- calculate the initial master key value: $$K_{master} = \text{PBKDF}(pass, salt, factors, length, \ldots)$$
- calculate a second master key value $$K_{master}' = \text{PBKDF}(pass', salt', factors', length, \ldots')$$ where each value other than the resulting key size $length$ may differ from the original scheme.
- calculate a key adjustment value using XOR $$A = K_{master} \oplus K_{master}'$$
- store this adjustment value $A$ with the other upgraded parameters / ciphertext.
Now in further operations, such as decryption of ciphertext that relies on the original $K_{master}$ you can simply calculate the second master key value $K_{master}'$, and perform $K_{master} = K_{master}' \oplus A$.
Are there any drawbacks to using this scheme? Does it have a name?
It seems a very simple scheme, but I haven't seen it used in any practical applications. It is of course identical in operation to simple key sharing / splitting - but in this case we're not sharing anything.
