How to correctly derive Encryption Key from user's password?

Asked Oct 08 '17 at 02:21

Active Oct 08 '17 at 03:46

Viewed 381 times

I'm using hash_pbkdf2() algorithm to derive the Encryption Key from the user's password, i'm doing like this:

$salt = random_bytes(16);
$interactions = 250000;
$size = 256;
$encryptionKey = hash_pbkdf2(
    "sha384",
    $password,
    $salt,
    $interactions,
    $size,
    0
);

My problem is that I do not know what to do with $salt, since it is randomly generated the first time, but it should be the same at other times as the user logs in to the system to derive the same encryption key and, in this way, the encrypted data can always be decrypted without problems.

What i must to do with the salt? Store it (crypted maybe) or is it not secure?

asked Oct 08 '17 at 02:21

Renato Gonçalves

1

Store the salt appended to the password hash. Ensure that the salt stays at a fixed length so that you can retrieve it as a substring. The salt is only to slow down brute force attempts and prevent rainbow table usage. – B. Fleming Oct 08 '17 at 02:27
I got it :) Thanks! – Renato Gonçalves Oct 08 '17 at 02:43

How to correctly derive Encryption Key from user's password?

0 Answers0