使用PBKDF2与SHA256可以安全地生成128位AES密钥吗？ [英] Is it safe to use PBKDF2 with SHA256 to generate 128-bit AES keys?

问题描述

我想用一些加密散列函数使用PBKDF2来生成128位AES密钥。 SHA1也是128位，所以我想过用PBKDF2，但是它是坏的，所以我选择了使用SHA256。这是安全的，还是哈希大小和产生的密钥大小之间的区别会导致某种无休止的静默截断，这将使AES密钥变弱？是否应该为AES生成256位密钥？

I want to use PBKDF2 with some cryptographic hash function to generate 128-bit AES keys. SHA1 is also 128-bit, so I thought of using that with PBKDF2, but it was broken, so I have opted to use SHA256 instead. Is this safe, or will the difference between the hash size and resulting key size cause some sort of disastrous silent truncation that will render the AES keys weak? Should I just have it generate 256-bit keys for AES instead?

推荐答案

虽然SHA-1被破坏，但最合理系统只能使用更强的 HMAC 版本，而可能还是很好。也就是说，较新的协议（如 TLS 1.2 ）正在使用，rel =nofollow noreferrer =nofollow noreferrer。

While SHA-1 is "broken", most reasonable systems only use the HMAC version, which is stronger and probably still fine. That said, newer protocols like TLS 1.2, are using at least SHA-256 for their Pseudo-Random Function (PRF).

你应该可以将结果截断到你需要的大小（像大多数PRFs一样）。以前有一些讨论可以在这个问题。

You should be ok truncating the result down to the size you need (as most PRFs do). Some prior discussion is available on this question.

在密钥长度方面，请参阅 keylength.com 。你想要确保你在使用每个原语时是一致的。

In terms of key length, see keylength.com. You want to make sure you're consistent in the how you're using each primitive.

这篇关于使用PBKDF2与SHA256可以安全地生成128位AES密钥吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！