0

In other words, in the context of authenticated encryption using Encrypt-Then-MAC, is this stupid?:

derived_key = PBKDF(key, salt, dkLen=32)
hmac_key, enc_key = derived_key[:16], derived_key[16:]

It is advised that separate keys be used for MAC and encryption. Is this sufficient? If not, how dangerous is it?

vezult
  • 131
  • 3
  • 2
    A standard model for PBKDFs is for their output to be indistinguishable from a truly random string so this should be fine. – SEJPM Jul 23 '19 at 20:17
  • 2
    Avoid dkLen > hLen for PBKDF2 when doing password stretching. Its method of deriving more than hLen bytes is less efficient than it should be. Since whatever hash used likely has at least 256-bit output (32 bytes), this is not an issue. Argon2, a way better password-based KDF for Intel/AMD hardware, doesn't have such an issue. – Future Security Jul 23 '19 at 22:02

0 Answers0