1

Say I have a message m.

m1 = sha256(m)

m2 = sha224(m)

Is there any relationship between m1 and m2? If I'm trying to hide the value of m, can a third party guess at m if they have these two values? I'm assuming the answer is no, but just want to make sure there are no caveats.

The reason I want to use two different hashing functions on the same message is to generate two keys that are different but still related to the same data.

Snowman
  • 537
  • 2
  • 4
  • 10

2 Answers2

2

From Wikipedia:

SHA-224 is identical to SHA-256, except that: the initial hash values h0 through h7 are different, and the output is constructed by omitting h7.

So there's no exploitable relationship between m1 and m2, it's not easier to guess m from m1, m2 or both of them.

However, what you really want is a key derivation function. Do not roll your own crypto and do not reinvent the wheel.

A. Hersean
  • 10,173
  • 3
  • 29
  • 42
  • How does a KDF help here? From what I understand, it generates a key from a passphrase, salt, and iteration count. How would KDF help me generate two keys from the same passphrase? – Snowman Nov 17 '16 at 15:47
  • m1 = KDF(m, whatever, 1); m2 = KDF(m, whatever, 2) – A. Hersean Nov 17 '16 at 15:49
  • Can salts be the same for both? I ask because this will be done client side, so I can't save random salts to any db. So: m1 = KDF(m, "email", 1); m2 = KDF(m, "email", 2). Given m1, can m2 be derived? And given m2, can m1 be derived? – Snowman Nov 17 '16 at 15:55
  • For a better suggestion, use bcrypt as the KDF, with a different salt for each output. – A. Hersean Nov 17 '16 at 15:55
  • But using PBKDF2 for example, would using the same salts but different iteration counts be secure? (see previous comment) – Snowman Nov 17 '16 at 15:57
  • @maq No! You must use different salts or you're boned. – Reid Rankin Nov 17 '16 at 15:59
  • @maq Just read and understand the documentation for bcrypt. If you need to do it on the client side, it looks like you're not using the correct solution for your issue. I suggest you ask another question with you exact issue: what are you trying to do? What is your scheme supposed to solve? – A. Hersean Nov 17 '16 at 16:00
  • @maq you can do KDF(m, "key1") and KDF(m, "key2") to get two different keys. You can just hardcode the salts. – Reid Rankin Nov 17 '16 at 16:01
  • 1
    @maq If you've already key-stretched the input m, do not use PBKDF2, bcrypt, scrypt, or any other KDF with key stretching built in. And if you haven't, you should; there's no benefit to key-stretching twice to get two different keys. Stretch once, then use that key to feed another KDF (like HMAC) to get your two distinct keys. – Reid Rankin Nov 17 '16 at 16:04
  • Ok I've asked a question here that explains what I'm trying to do: http://security.stackexchange.com/questions/142898/generating-encryption-key-based-on-password – Snowman Nov 17 '16 at 16:20
1

Don't do that. At a minimum, use HMAC-SHA-256 with a different key for each purpose.

Really, though, you should use a proper KDF for this; I like HKDF, personally.

Reid Rankin
  • 1,082
  • 5
  • 10
  • How does a KDF help here? From what I understand, it generates a key from a passphrase, salt, and iteration count. How would KDF help me generate two keys from the same passphrase? – Snowman Nov 17 '16 at 15:46
  • You're thinking of PBKDF2 or another password-based KDF. Those take an iteration count and are purposely slow. HKDF is an example of a general KDF; it does not perform key stretching, and takes "input key material" instead of a passphrase. Feed it the key material you have, whatever length, and a different "info" value (salt) for each different key you want out. Then you can get exactly the number of bytes you need out of it, however many that is. – Reid Rankin Nov 17 '16 at 15:53