0

Assume I only have only three algorithms available at my disposable: PBKDF2, SHA512, and HMAC-SHA256. (This means I do not have algorithms like HMAC-Expand available.)

Assume I also have a cryptographically secure random 256 bit key. I would like to expand this key to 512 bits, so that I can split this resulting key in half and now have 2 child keys.

The recommended option is to use PBKDF2, but this advice is typically given when stretching a low-entropy, user inputted password. Given that my key is already high-entropy, is there any issue with just using SHA512(key) to expand my key?

The reason I'd rather use SHA512 is that it does not require a salt like PBKDF2 does.

This answer states that it's acceptable to do something like:

child_key_1 = HMAC-256(master_key, "c1")
child_key_2 = HMAC-256(master_key, "c2")

Have I interpreted that answer correctly, and is there a clear winner amongst all my options?

Community
  • 1
Snowman
  • 363
  • 2
  • 7

1 Answers1

3

What you are looking for is a "Key Derivation Function" (KDF). Notice you called out PBKDF - Password Based KDF. One very common KDF (it's even in NIST standards) is to use the shared secret - your "master_key" - to hmac a counter. Your proposal is therefore in line with the standard methods of KDF.

Thomas M. DuBuisson
  • 1,874
  • 15
  • 19
  • Actually, what he is looking for is a pseudorandom generator (PRG) since he assumes that the given key is already cryptographically secure. – Christian Matt Mar 11 '17 at 20:37
  • Is it your assumption that KDFs are only for low entropy input? – Thomas M. DuBuisson Mar 11 '17 at 22:05
  • Not only; using a KDF in this setting is fine. But KDFs usually have stronger properties and what the OP describes exactly matches the definition of a PRF, so I wanted to point this out. See https://en.wikipedia.org/wiki/Pseudorandom_generator. – Christian Matt Mar 11 '17 at 22:13