1

I'm implementing an application that from a password has to derive two keys, one for authentication with the server, one for encryption. I'm using Java, with JCA and Bouncy Castle.

So far, to generate a key from the password I was using PBKDF2, like this:

SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512", BC);
PBEKeySpec keySpec = new PBEKeySpec(password.toCharArray(), salt, iterations, keyLength);
SecretKey passwordKey = secretKeyFactory.generateSecret(keySpec);

but in the two examples I found of HKDF:

they start with HmacSHA256, not PBKDF2. Why is that? What are the pros and cons of these two algorithms in this case?

Pablo Fernandez
  • 125
  • 6
  • Note that, in order to prevent brute force attacks, it's better to use a password hash function such as Argon2, bcrypt or scrypt. – Conrado Aug 31 '17 at 17:20
  • HKDF is by definition based in HMAC (that's the H in HKDF, I believe). PBKDF is suitable for deriving keys from passphrases, which usually have lower entropy and may be brute-forced. If your input is the typical password from users, go for PBKDF (which will add resilience against brute force attacks as @ConradoPLG mentioned). Use HKDF if you already have a good source of entropy that could not be attacked by brute force (like Diffie Hellman shared secrets). See nice Maarten response which combines the two: PBKDF2 to add brute-force resilience while using HKDF to derive two strong keys. – jjmontes Aug 31 '17 at 17:37
  • Also, recommended reading: https://crypto.stackexchange.com/questions/40971/what-is-the-difference-between-kdfs-for-key-derivation-vs-password-stretching and https://crypto.stackexchange.com/questions/20960/pbkdf-vs-hkdf-for-pretty-long-key – jjmontes Aug 31 '17 at 17:54

1 Answers1

3

I don't think you get those "examples": they implement HKDF. The full name of HKDF is HMAC-based Extract-and-Expand Key Derivation Function. They do not use PBKDF2 because they don't implement a specific use case, they implement the algorithm.

So it is perfectly fine to use:

master = PBKDF2(SHA-256, iterations, salt, password, 32)
authKey = HKDF(SHA-256, master, "authKey", 32)
encKey = HKDF(SHA-256, master, "encKey", 32)

This is pseudo code where the configuration options such as the hash function and the output size are also present in the parameters.

Note that although the SHA-256 is specified as configuration option, both PBKDF2 and HKDF will use HMAC-SHA-256 underneath (but HMAC has only one configuration option: the hash function to use, so this is equivalent).

Community
  • 1
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313