
Ask HN: Cryptography questions (key shortening and key verification) - CraftThatBlock
I&#x27;m currently building a password generator (ignore the details) and I have some questions about what is the best way to do things. I have 2 questions.<p>I&#x27;ve posted the individual questions in comments since it would go over the 2000 character limit.<p>Basically it boils down to 2 simple questions:<p>1) What is the best and simplest way to get a 256 bit key from a 512 bit key.<p>2) What is the best way to verify the 512 bit key is correct?<p>Thank you very much for your time and thoughts.
======
CraftThatBlock
1) Getting a shortened key

To start off, users enter a master password, which a key is then derived from
(with a salt from a server) using scrypt, which a key length of 512 bits (the
dkLen could be changed, although I would like to keep it to 512 bits/64 bytes
for legacy reasons).

On the client-side, I would also like to use AES, which requires 256 bits (or
128/192) keys. My problem is getting a shorter key that is based on the
original key.

My current proposal is using PBKDF2 (with HMAC-SHA-256) with a salt from the
server (or use the same salt as the master key) to derive a secondary key,
which will be recreated every time the user logs in. My problem with this
solution is that there is no need for an intensive deriviation, since the
original key will already be "secure", therefor having a low iteration count
(or even just 1) would be an option. Which could also just be HMAC-
SHA-256(master key, salt).

My second solution is simply calculating the SHA-256 of the master key, since
using a salt seems overkill for digesting a 512 bits key already. This is
simpler since there's no need to store a secondary salt (if not using the
master salt). I would prefer this solution but I'm unsure if this is fit for
this usage, since the generated hash would be used for AES purposes.

The third solution was to simply slice the master key and take the first half,
which would be 256 bits. I was also unsure if this would be recommended.

------
CraftThatBlock
2) Key signature

Since the server side doesn't store the key of the user, I would like a way to
still be able to tell the user if their password is wrong. I need a way to
generate something that can be stored on the server, that the user can sent
when generating the initial key, and then can resend when logging in, that the
server can reply true/false if the master key/password is correct.

My initial thought was to simply hash the master key and store that. I was
going to use SHA-256 but since I might use that to get the AES key, I had to
revisit it. Would simply generating a low-entropy/length hash from say MD5,
and storing that, be a good option? I'm not worried about collisions, since
the chance the user gets a collision for their own password is extremely low.

