Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Key derivation with only a password

Thomas K.
2013-12-12
2013-12-17
  • Thomas K.
    Thomas K.
    2013-12-12

    I am currently trying to get a general understanding of the key derivation process. While I think I understood most of it, I have currently one question left. The website says:

    If only a password is used (i.e. no key file), the password plus a 128-bit random salt are hashed using SHA-256 to form the final key.

    I understand this as: (Raw) Composite Key = SHA-256(SHA-256(password)||128-bit salt). I.e. the salt is treated as an additional User Key and the key derivation process continues normally.
    Where is this salt added (within the code)? I expected to see a reference in KcpPassword.cs or CompositeKey.cs, but couldn't find any.

    Any advice is appreciated :)

    Cheers,
    Thomas

     
  • Dominik Reichl
    Dominik Reichl
    2013-12-13

    A salt is used during the KDF, not the initial composite key building. See the method CompositeKey.GenerateKey32 (pbKeySeed32).

    Best regards,
    Dominik

     
  • Thomas K.
    Thomas K.
    2013-12-17

    Thanks for your clarification.
    But isn't this seed used in other combinations than password only aswell, i.e. password+keyfile, password+key provider, or a key provider on its own?

    Best regards,
    Thomas

     
  • Dominik Reichl
    Dominik Reichl
    2013-12-17

    Correct. The components of a composite master key are first combined and then the composite master key is sent through the KDF, which uses the seed.

    Best regards,
    Dominik