Score:1

Crypto

Wrap AES 256bit key with Argon2 without losing entropy

zjmo

11/9/23, 2:07 PM

Given a random 256bit key used for data encryption with Streaming AES GCM

I would like to wrap it for backup with AES GCM.

Is it safe to use

HKDF(
    km = new random 256bit key
    salt = Argon2(weak password) 256bit
    algo = HMACSHA512
    outputkey = 256bit )

in theory the km parameter has to be stored safely offline in hex format, similarly on how bip39 does with mnenonic words. And the produced 256bit are used to wrap the first DEK with aes gcm

Is there a better way to hash a random 256bit with a user password to generate a new high entropy 256bit for aes?

Protocol clarification:

Master key 256bit generated within Android TEE -> 
wraps with GCM { Master Google Tink Key }

Master Google Tink Key -> 
wraps with GCM{ DEK1, DEK2 ... }

Each DEK is generated randomly and it is used to encrypt 2 files with AES GCM Streaming AEAD HKDF 4K wich I suppose internally generates new keys and IV to encrypt each block

and then

HKDF(
km = new random 256bit key + Argon2(weak password) 256bit
salt = empty
info = empty
algo = HMACSHA512
outputkey = 256bit)

outputkey -> wraps with GCM { Master Google Tink Key }

126

0 + 10

key-wrap

hkdf

argon2

Maarten Bodewes

11/9/23, 5:31 PM

The full HKDF uses any amount of input keying material. To me it would make more sense to concatenate the key and password hash retrieved from Argon2 instead of using it as a salt, which is not considered to contain key material. That way the function is used as you'd expect it to, and implementations may actually handle keying material and salts differently. Not sure what you are going to do with the next DEK keys, and there is nothing about IV handling and such for GCM. I don't think the protocol is fully described.

samuel-lucas6

11/9/23, 7:06 PM

I don't understand the description, but I'd agree with Maarten, or you could use the Argon2 output as the key and the random key as the salt/info parameter. That way around seems more common.

zjmo

11/10/23, 6:11 AM

@MaartenBodewes I've updated the question. I have no control over the IV and i cannot really create an encryption scheme since the Tink library does everithing internally.

zjmo

11/10/23, 6:16 AM

@samuel-lucas6 i was thinking that using the high entropy key in the salt has less influence on the overall entropy of the generated hash. Do you know otherwise if there is another way to bound a random key to a password as bip39 does but withouth word indexing?

samuel-lucas6

11/10/23, 6:20 PM

The salt for HKDF is used as the HMAC key internally, so a secret salt is very good. It's discussed in the [RFC](https://www.rfc-editor.org/rfc/rfc5869#section-3.1). I'd say stick with BIP39.

zjmo

11/11/23, 8:27 AM

@samuel-lucas6 for the application purpose using BIP39 would be just adding another level of complexity, because i would not be able to memorize the mnemonic phrase anyway and so it has to be stored on paper offline. It is important that the asymmetric key to preserve its entropy and to be recovered only when the random key and password are matched together. So using the password hash as salt is optimal? or better concatenate them and input the resulting bits to HKDF? thanks

zjmo

11/11/23, 8:33 AM

or maybe just sha256( random key || Argon2(password)) is enough

samuel-lucas6

11/11/23, 3:19 PM

I'm afraid I don't understand your comment. The only reason I said BIP39 is because it sounded like you were already using it. I don't see how that affects whether you use the random key or the password hash as the salt, but I don't know your protocol. Don't do SHA-256 as it's susceptible to length extension attacks; stick to either HKDF or HMAC. I'd go with Maarten's suggestion or my idea of having the random key as the salt.

zjmo

11/11/23, 4:07 PM

@samuel-lucas6 ok, Ill probably use hmac with the 2 concatened keys as key and optional message in case i have to generate more than 1 key. thanks

samuel-lucas6

11/11/23, 6:24 PM

HKDF is more extensible, but that should work. You don't need the full HKDF anyway because you already have a high-entropy key.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Wrap AES 256bit key with Argon2 without losing entropy

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.