4

I would like to generate a key which would be good enough to be used for encryption with AES in a mobile environment. My idea is to use as a seed ''random attributes'' from a mobile device. Is hashing first this seed using HMAC construction (with some salt which is also random but public) and then use a HMAC-based Key Derivation function secure and efficient?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
Hashed
  • 185
  • 5
  • 2
    What's wrong with just generating a random AES key? – otus Jul 25 '14 at 12:40
  • To add to what otus says, most operating systems have built in random number generators. Most mobile device platforms (iOS and Android) have good random number generators built in. Why not just generate a 128-bit (or 192 or 256) random value and use that directly? – mikeazo Jul 25 '14 at 12:42
  • yes but it good enough to be used for encryption? does not need some pre-processing with HMAC approach? – Hashed Jul 25 '14 at 12:49
  • If you use the proper OS provided random number generators, then yes, they are good enough for encryption. – mikeazo Jul 25 '14 at 13:07
  • 1
    Note that you have another question on here with the exact same title. – mikeazo Jul 25 '14 at 13:09
  • 1
    “…the best* way…”* is primarily opinion-based because there are several ways to handle this, and there is no general rule that makes the use of a HMAC a good KDF in all cases! – e-sushi Jul 25 '14 at 15:43
  • 1
    @Hashed, if the OS provides a secure random number source there's no need to preprocess that. You can just use it as a key directly. For example, /dev/urandom is such an interface, and most programming languages will make use of it (Java SecureRandom, Python SystemRandom). – otus Jul 25 '14 at 16:33
  • @Hashed HMAC is not a magical construct that converts low-entropy inputs into high-entropy outputs. If the system RNG (e.g., /dev/urandom) is providing you with high-entropy randomness, there's nothing further to do. If you only have access to a low-entropy RNG (e.g., C rand), there may be nothing you can do; at absolute best, you can you use a key stretching algorithm like PBKDF2 or scrypt to linearly increase the effective cost of an attacker brute-forcing the key to simulate higher entropy. – Stephen Touset Jul 29 '14 at 00:54

1 Answers1

3

If you have plenty entropy in your "seed" then just use a KBKDF such as HKDF. If you have somewhat less, use a PBKDF such as PBKDF2. Both HKDF and PBKDF2 can take a salt as input parameter and are already using a HMAC internally.

There is no need to perform a HMAC beforehand. If you do, you would have to specify what data is used as key for the HMAC primitive.

If you just need a random key, use a well seeded CSPRNG (possibly just the one that the runtime supplies, the OS usually has most access to entropy sources).

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313