does the hash function matter when using it to stretch a password to use AES?

Question

My algorithm is basically as follows :

input password
hash(password)
AES on file using the hash

in this case, does the hash algorithm matter as long as it's distribution is somewhat uniform?

would some weak algorithm like md5 be fine, or should a better algorithm be used?

in the case someone tries to brute-force, slower algorithms will perform better, so I'm not taking this into account as it can be offset by using more rounds.

I'm doing that because AES needs a 128 bit key (or 192 or 256), and the user might not want to input a password this size.

I think you should look at real key derivation functions instead of just using a hash. See [Why is the Key Derivation Function important?](https://security.stackexchange.com/questions/109378/why-is-the-key-derivation-function-important) and [What is the difference between Key Derivation Function and (salted) Hash?](https://security.stackexchange.com/questions/95410/what-is-the-difference-between-key-derivation-function-and-salted-hash) for why simply using a hash is not a good idea to derive a key. — Steffen Ullrich, Apr 12 '17 at 11:13
see http://crypto.stackexchange.com/questions/46550/benchmark-differences-between-sha-512-and-bcrypt — dandavis, Apr 12 '17 at 19:19

score 4 · Accepted Answer · edited Apr 13 '17 at 12:48

4

You shouldn't be using a hash function to derive a cryptographic key from an user supplied passphrase. Instead, use a Key Derivation Function such as PBKDF2.

The following topics explain the topic in more depth:

https://crypto.stackexchange.com/questions/4033/whats-the-difference-between-a-key-derivation-function-and-a-password-hash
What's the advantage of using PBKDF2 vs SHA256 to generate an AES encryption key from a passphrase?
What is the specific reason to prefer bcrypt or PBKDF2 over SHA256-crypt in password hashes?

TLDR; Hash functions are very fast (therefore easier to brute force) whereas key derivation functions are generally much slower and their speed can be adjusted.

edited Apr 13 '17 at 12:48

Community

1

answered Apr 12 '17 at 12:10

christophetd

217
1
12

from what I understand, adding multiple passes and a salt to a hash that has an uniform distribution is kinda like rolling your own KDF, is that so? – satibel Apr 12 '17 at 12:50
2

@satibel: it's "like rolling your own KDF" in that it's a terrible idea, yes. – dandavis Apr 12 '17 at 19:10
@dandavis though it seems to be what VeraCrypt (the successor of TrueCrypt) does : "For standard containers and other partitions, VeraCrypt uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool." so it doesn't seem to be such a terrible idea if implemented right. – satibel Apr 13 '17 at 06:25
@satibel "rolling your own encryption" is never a terrible idea when implemented right. The point is in general it won't be implemented right, and if you are asking the sort of questions the OP is, it definitely won't be implemented right. In other words if Joan Daemen or Vincent Rijmen "roll their own encryption" I'll be happy to use it, otherwise not so much. – DRF Apr 13 '17 at 07:28
1

@satibel: rolling your own surgery, done right, might save a lot, but it's more likely to kill you. – dandavis Apr 13 '17 at 21:48

does the hash function matter when using it to stretch a password to use AES?

1 Answers1