5

In general, keys for password-based key derivation are derived from a password hash such as the old PBKDF2 function or Argon2, possibly followed by another derivation function to derive data and authentication keys: $$K_{master} = \text{PBKDF}(pass, salt, factors, length, \ldots)$$.

A possible disadvantage is that it is impossible to update the factors, salt size or password without generating a different $K_{master}$.

Would the following simple way around this be secure?

  1. calculate the initial master key value: $$K_{master} = \text{PBKDF}(pass, salt, factors, length, \ldots)$$
  2. calculate a second master key value $$K_{master}' = \text{PBKDF}(pass', salt', factors', length, \ldots')$$ where each value other than the resulting key size $length$ may differ from the original scheme.
  3. calculate a key adjustment value using XOR $$A = K_{master} \oplus K_{master}'$$
  4. store this adjustment value $A$ with the other upgraded parameters / ciphertext.

Now in further operations, such as decryption of ciphertext that relies on the original $K_{master}$ you can simply calculate the second master key value $K_{master}'$, and perform $K_{master} = K_{master}' \oplus A$.

Are there any drawbacks to using this scheme? Does it have a name?

It seems a very simple scheme, but I haven't seen it used in any practical applications. It is of course identical in operation to simple key sharing / splitting - but in this case we're not sharing anything.

Patriot
  • 3,087
  • 3
  • 16
  • 63
Maarten Bodewes
  • 88,868
  • 12
  • 146
  • 304
  • 1
    And yes, the term "key adjustment value" was "sucked out of my thumb" as the saying goes in Dutch (made up on the spot). There is at least *one* huge drawback of course, I expect it in any answer. – Maarten Bodewes Nov 23 '18 at 11:43
  • 4
    Note that if your DB gets leaked, your $A$ will also likely get leaked and an attacker gets to choose which PBKDF instance they want to break. – SEJPM Nov 23 '18 at 11:46
  • 1
    Yeah, that one :P You wrote that drawback and I asked for it at the same time. Impressive :) – Maarten Bodewes Nov 23 '18 at 11:46
  • prefer to attack the old one since it will have smaller security parameters. But high probably the old pbkdf and its parameters are deleted since they are not needed anymore. So, we may have to stick to the second one. But in the end, it is better than storing the two pbkdf? – kelalaka Nov 23 '18 at 12:44
  • What do you mean with "storing the two PBKDF"? – Maarten Bodewes Nov 23 '18 at 13:15
  • not the functions, the parameters. After the update, the old values `salt,factors,...` are not needed. so without the knowledge of them, one cannot apply password search for the $Key_{Master} and check the decryptions of ciphertexts which are encrypted old and new key Master. – kelalaka Nov 23 '18 at 14:01
  • Exactly. If you don't know the initial salt then you cannot perform the first PBKDF and therefore your data would be safe. The salt would act as a pepper in that case. Of course this has limited applicability: the salt is generally assumed to be public. However, that won't help an attacker that finds my drive after I've destroyed the initial salt. The other parameters are generally easily guessed... (I won't go too deep into the difficulty of destroying the salt) – Maarten Bodewes Nov 23 '18 at 15:19

0 Answers0