-1

I have this code snippet to generate key with PBKDF2.

SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
        PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), iterations, length);
        SecretKey key = skf.generateSecret(spec);
        byte[] res = key.getEncoded();

I am wondering how generating works when a key lengthis longer than specified SHA digest algorithm type?

For example - what happens when I set a key length of 1024 bits and use PBKDF2WithHmacSHA512 algorithm? Where are 512 bits generated?

jnemecz
  • 3,171
  • 8
  • 41
  • 77
  • 1
    Are you asking about the inner workings of the PBKDF2 algorithm and how the stretching works? – Artjom B. Jun 06 '17 at 18:09
  • https://tools.ietf.org/html/rfc2898#section-5.2 but any (single) symmetric algorithm that uses more than 256 bits of key material is insane – dave_thompson_085 Jun 06 '17 at 19:29
  • @dave_thompson_085 It may be that a longer output is desired to provide both a key and IV in one shot – zaph Jun 06 '17 at 20:36
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Cryptography Stack Exchange](http://crypto.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Jun 08 '17 at 02:22

2 Answers2

3

In general it is not advised to ask for more than the hash length as each block is run through all the iterations again:

According to Wikipedia (which has a somewhat more readable format than PKCS#5):

DK = T1 || T2 || ... || Tdklen/hlen
Ti = F(Password, Salt, c, i)

here c is the iteration count by the way.

The problem with this is that generally large amounts of key material are only used when the result is split into multiple components. And if an attacker can verify a good password guess using only - say - the first 128 bits then the attacker has to do less work than the legitimate user of the algorithm.

One way of resolving this is to split the output of PBKDF2 using a KBKDF such as HKDF using different labels (information that is also hashed). That way you can generate almost infinite amount of key material without running through all the iterations for each 512 bits.

Note that 512 bits is enough for two very secure AES-256 bit keys. So that's one very good reason to use SHA-512 for PBKDF2. Note that on 64 bit machines SHA-512 may be faster than SHA-256 while delivering more output material and security.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
2

Per PBKDF2

dkLen is the desired length of the derived key
DK is the generated derived key

Each hLen-bit block Ti of derived key DK, is computed as follows:

DK = T1 || T2 || ... || Tdklen/hlen

The derived byte array can be an arbitrary length not based on the hash algorithm.

zaph
  • 111,848
  • 21
  • 189
  • 228