Safe to use a BCrypt hash directly as a key to HMAC-SHA256?

Starscream512

8/11/24, 4:47 AM

Is it safe (or optimal) to use a BCrypt hash directly as the key to an HMAC-SHA256? I ask because all the BCrypt hashes I will use contain the same salt, version, and cost, so the first 29 characters of the hashes will all look the same, e.g. "$2a$06$/H63GWnve78WGVBSDouFTO". I'm not comfortable with this much known structure in a key. Should I run the BCrypt hash through a SHA256 first before using it as the key to an HMAC-SHA256, or is it ok to use it as-is?

1 + 2

hmac

fgrieu

8/11/24, 12:46 PM

It would be bad practice that "all the BCrypt hashes (…) contain the same salt, version, and cost", for that makes salt ineffective at preventing password search on several different passwords. Using the BCrypt hash as key to HMAC-SHA256 won't cure that. As pointed in this [answer](https://crypto.stackexchange.com/a/107592/555), HMAC-SHA256 works fine for a key of any length, and will hash it before use if too long (over 64 bytes).

samuel-lucas6

8/13/24, 9:39 AM

bcrypt is [not](https://www.usenix.org/legacy/events/usenix99/provos/provos.pdf) a password-based KDF, just a password hashing algorithm. For key derivation, you should use [Argon2](https://www.rfc-editor.org/rfc/rfc9106.html). If using bcrypt for password hashing, it's best to use [hmac-bcrypt](https://github.com/epixoip/hmac-bcrypt) as this avoids some design/implementation limitations.

Score:0

Crypto

Maarten Bodewes

8/11/24, 7:01 AM

In principle HMAC can use a key fo any size. However, I'd argue that only the final 31 characters of the returned string are of importance, as that consists of the calculated bcrypt hash / the HMAC secret. Obviously you'll need to store the salt somewhere public if you want to just keep the password secret. As such it doesn't count towards the security of the resulting secret.

Now there is something of a problem: those 31 characters only represent 23 bytes of generated secret information. In principle HMAC should take a key of 32 bytes. So the output of bcrypt seems to be fall somewhat short of the recommended size for HMAC. Generally I'd say that 184 bits offer plenty of security, but switching to PBKDF2 or Argon2 could an idea.

For HMAC I say it doesn't matter much if the characters are used "directly" by interpreting them as bytes (using one specific character encoding) or if they are base 64 decoded first.

I don't see much point of hashing the output of bcrypt before putting it into HMAC. HMAC can take any size of key, and will automatically hash the input using the internal hash if it would hamper the efficiency of the algorithm.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Safe to use a BCrypt hash directly as a key to HMAC-SHA256?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.