Does using a portion of a master seed, such as the last 12 bytes of a 128-byte random master seed, as a salt provide any additional security to the HKDF when deriving child seeds? Alternatively, is it better not to use a salt in this case?
Asked
Active
Viewed 57 times
1
-
Did you see ttis? Multiple AES Key Derivation from a master key. You only need some simple infos the derive the subkeys, unique! – kelalaka Dec 15 '23 at 17:40
1 Answers
1
No, a salt composed from bits of the master seed or IKM doesn't provide much additional security. It is better to choose e.g. an application specific label within the $\mathit{Info}$ parameters (named $\mathit{CTXinfo}$ in the paper quoted below).
The idea of the salt is that it allows different values to be generated even for the same IKM (input keying material). The following quoted text fragments are from "Cryptographic Extraction and Key Derivation: The HKDF Scheme by Hugo Krawczyk".
Informally, a randomness extractor is a family of functions indexed by a public, i.e., non-secret, parameter (which we refer to as “salt”) with the property that on any input distribution with sufficiently large entropy, if one chooses a salt value at random (and independently of the source distribution) the output of the extractor is statistically close to uniform (see below for a formal definition).
and
We note that for the most part of this paper the (implicit) notion of security of a KDF corresponds to this last definition, namely, we think of KDFs mainly as a generic function that can deal with different sources as long as the source has enough computational min-entropy. We stress that this notion of security can only be achieved for randomized KDFs where the salt value $r$ is chosen at random from a large enough set.
So basically the master secret on its own may not generate well distributed OKM (output keying material) which is why a salt should be used - at least for the security rationale. If you just reuse bytes from the master key you may end up with another badly distributed OKM, so that doesn't work.
It depends if the salt is required in practice. If the IKM contains enough entropy and is well distributed by itself it is not likely to be needed. It is not always possible to use a random salt in all circumstances anyway, and many KDF's don't use a salt, especially if the input domain of the IKM is large enough.
Maarten Bodewes
- 92,551
- 13
- 161
- 313