6

Say I'm designing a library to sign/verify messages with SHA-256 HMAC. If the end user uses a weak shared key and sends a lot of short messages, I assume there would be risk of an attacker discovering the key.

My intuition says I should append a unique (per message) salt to the key to make reverse-engineering the key harder.

How much would key salting help, and would I gain anything by also salting the messages?

Steve Clay
  • 8,671
  • 2
  • 42
  • 48

1 Answers1

3

Normally people salt the key. It does increase security, both because it makes reverse-engineering the key harder, and because the same message does not always have the same MAC, so an attacker can't simply re-send a message that was sent earlier with the same MAC. I don't see what salting the message as well would get you.

Vanessa MacDougal
  • 982
  • 6
  • 14
  • 1
    I agree, salting the message does nothing (HMAC/SHA-256 is not computationally intensive, even for long messages), and salting the key is the way to go. If you want to salt the key, though, you need to use a computationally intensive process like [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2) or else you're not really adding any security. – kbolino Sep 01 '11 at 17:26
  • So I'd create the key with this [PBKDF2 function](http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard) then just add the iteration count to the transmitted message? How do determine the desired key length? – Steve Clay Sep 01 '11 at 21:40
  • 1
    As I understand it, the iteration count is usually treated as a constant of the implementation. That is, you pick a value like 10,000 and then share it beforehand (i.e., by hard-coding it in the software). If you want it to be variable, then you should set and enforce a fairly high lower bound. – kbolino Sep 02 '11 at 06:30
  • 1
    You should choose a salt no smaller than 64 bits, according to the standard. As for the key, since the salt is shared, it has no effect on the total entropy, so you have no more bits of entropy in the derived key than you had in the PSK, and you may have less. Thus using a longer length than your PSK has marginal benefit, while using a shorter length may reduce the entropy. The specific value you choose will depend on your circumstances; WPA2, for example, uses 256-bit derived keys. – kbolino Sep 02 '11 at 06:43