0

This is a setup to produce a secret key for symmetrical encryption with TweetNaCl:

1) K1 consists of 32 random bytes

2) K2 consists of 32 random bytes

(By "random" I mean "obtained from /dev/urandom")

3) KC is the concatenation of K1 and K2

4) K consists of the first 32 bytes of the SHA-512 sum of KC

Questions:

a) Is it safe to use K as a secret key? ("safe" meaning "as safe as using 32 random bytes"; it is assumed that K1, K2 and K are kept secret)

b) If an attacker gets his hands on K1 or K2 (but not on both), does he obtain any real advantage?

Rationale: keep K1 and K2 in separate media (e.g., K1 on a pen and K2 on disk)

Jorge Almeida
  • 3
  • 3

1 Answers1

2

a) Is it safe to use K as a secret key? ("safe" meaning "as safe as using 32 random bytes"; it is assumed that K1, K2 and K are kept secret)

Although SHA-512 is not a KDF, and although it is required that the hash has properties that are not mandatory to be used as KDF, most people assume it is secure, yes.

b) If an attacker gets his hands on K1 or K2 (but not on both), does he obtain any real advantage?

No, the attacker shouldn't gain advantage that way.

Kind of related is the security of KDF1 and KDF2. Hash should be considered a poor mans KDF. For a better KDF, use HKDF or just HKDF-expand.

Community
  • 1
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • My reasoning is that there is no point in using HKDF,...,Argon2 when the source (K1 and K2) is random, as opposed to a lower-entropy source (passphrase). Rather than trying a brute-force attack against K1|K2, an attacker might as well try to find the key K itself. That is, assuming that the algorithm used to buid K doesn't introduce some subtle vulnerability. – Jorge Almeida Dec 18 '16 at 22:10
  • There's no point in using SHA-512 either. Just XOR the two keys together as @MaartenBodewes suggests in an earlier comment. – Stephen Touset Dec 18 '16 at 22:17
  • I'm ashamed to say that I went for the answer and missed the comment entirely. That looks indeed a better strategy (and makes a leaner binary, too). – Jorge Almeida Dec 18 '16 at 22:55