Reputation: 4740
AES key derivation
What is the correct (acceptable) way to derive an, lets say 128 bit AES key from the secret derived in a DH negotiation?
- Use the first 128 bit
- Hash the secret and use the first 128 bit
- Use some more complicated derivation function
How would you derive a set of keys in a "correct" manner?
Upvotes: 2
Views: 3775
Answers (2)
Reputation: 14160
For instance, in TLS used pseudo-random function, which is based on SHA1 and MD5 hash over shared secret (i.e. DH key exchange value), string label (to distinguish different cases for which key is generated, HMAC, cipher and so on), and shared random parameter (both client and server generates his own half of random parameter).
So, i'd recommend to add some random data generated by both client and server, and hash it together with DH key exchange value.
Upvotes: 3
Reputation: 42007
I would use a standard. One such standard is NIST Special Pub 800-56A. See in particular section 5.8.
Upvotes: 4