(no title)
abuckenheimer | 7 years ago
return pbkdf2.derive(password, email, PBKDF2_ROUNDS, STRETCHED_PASS_LENGTH_BYTES)
.then((quickStretchedPW) => {
result.quickStretchedPW = quickStretchedPW;
// stretch to twice the length necessary
return hkdf(quickStretchedPW, kw('generated'), HKDF_SALT, HKDF_LENGTH * 2)
.then((generated) => {
// split output into two cryptographically strong keys
result.unwrapBkey = generated.slice(0, HKDF_LENGTH);
result.authPW = generated.slice(HKDF_LENGTH);
}
);
}
)
hashed_password = hash(password, 'salt1')
hashed_auth_tok = hash(hashed_password, 'salt2')
hashed_unwrap_key = hash(hashed_password, 'salt3')
tomrittervg|7 years ago
The (second) pseudocode you have is right (the second two 'hash()' should be 'hkdf()', and the first should be 'pbkdf()'.)
The first is an alternate way to do it. But for cryptographic reasons that tend to be buried in formal proofs; you generally don't want to derive twice the keylength you need and then split for two keys. (Besides the necessity for formal proofs (as I understand it) - it's just easier to make an indexing mistake and reuse key material. One also becomes more vulnerable to a collision attack, although that might not make sense in this context it related to the formal proofs.) I will note that sometimes - especially in embedded spaces - you'll see people taking this shortcut in the name of speed or codesize.
Instead you want to fully derive two keys using separate HKDF calls with separate 'labels'. This provides strong domain separation for the keys.
But I'm mostly trying to provide with a pointer to what to read about to convince yourself. I'd start at https://crypto.stackexchange.com/search?q=domain+separation
If you find out we're doing something that still seems weird though, please send me an email!
abuckenheimer|7 years ago