2

Assuming I have a secret key of sufficient length and entropy (I get to decide the length and have a good random source).

I would like to generate 256 length keys by hashing the root key with the name of each key, ex: 

key1 = sha256(rootKey +"key1") 
key2 = sha256(rootKey +"key2") 
...
keyN = sha256(rootKey +"keyN")

Is the sha256 hash a good choice ?

If yes, what length should the root secret be ? I'm thinking 256 bit is pretty good, but it wouldn't cost much to make it bigger...

Max L.
  • 161
  • 3

1 Answers1

5

Assuming the input key is sufficiently entropic by itself, and both the input key and the identifier have a fixed length, you can safely use SHA-256 to derive extra keys. A fixed length is required to avoid length extension attacks which affect all non-truncated Merkle–Damgård hashes, including SHA-256. A safer way to do this, however, is to use HMAC for key derivation, which makes this scheme more flexible so length extension attacks are not a worry. When using HMAC, the input key is used as the HMAC key, and the identifier is the message to be hashed. You can also use a standard KDF such as HKDF.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262
  • thanks, how can the length extension attack be applicable in this context, since there is no message siguature validation involved ? – Max L. Jul 30 '19 at 01:44
  • 2
    @MaxL. Given one identifier, an attacker can calculate what the derived key would be for another identifier (with that identifier having certain limitations, in particular being a concatenation of the first identifier, MD padding material, and an arbitrary suffix). That would violate the security assumptions of a good KDF. If the identifier and input key are both fixed-length, then this attack is not applicable. – forest Jul 30 '19 at 01:46