6

Is there a safe way to uniquely identify a symmetric key? I know with asymmetric keys you typically use a hash of the public key, but I assume that using a hash of a symmetric key would reveal too much information. Would you simply have to assign a GUID to each key and ensure that those GUID/key pairs never get lost or mixed up?

I'm just wondering, because if you have hundreds of keys stored someplace, how do you know which one to use?

senecaso
  • 228
  • 1
  • 4

1 Answers1

1

Any unique identifier would do the trick, including using a hash of the key (assuming you are using a good hash function). Personally I would not use a hash of the key though as it makes an offline attack theoretically possible. If the ID has nothing to do with the key, however, and an attacker steals the ID, there is no advantage gained by the adversary. A simple counter would do the trick. If you indeed need the ID to be globally unique though, simply having everyone generate a random 128 bit number would also work.

mikeazo
  • 38,563
  • 8
  • 112
  • 180
  • Ya, I said "GUID" because it was short and sweet :) I agree any UID would do. My concern is that the UID is then not tied to key, like a fingerprint, so its easier to get things muddled up somewhere down the line. Your statement about offline attack is exactly what I was worried about though. I was hoping there was some magic way to prevent the hash from being useful in an offline attack by salting it or something, to make it more expensive to calculate than simply trying to brute force the key. – senecaso Oct 17 '11 at 02:11