问题
I want to use PBKDF2 with some cryptographic hash function to generate 128-bit AES keys. SHA1 is also 128-bit, so I thought of using that with PBKDF2, but it was broken, so I have opted to use SHA256 instead. Is this safe, or will the difference between the hash size and resulting key size cause some sort of disastrous silent truncation that will render the AES keys weak? Should I just have it generate 256-bit keys for AES instead?
回答1:
While SHA-1 is "broken", most reasonable systems only use the HMAC version, which is stronger and probably still fine. That said, newer protocols like TLS 1.2, are using at least SHA-256 for their Pseudo-Random Function (PRF).
You should be ok truncating the result down to the size you need (as most PRFs do). Some prior discussion is available on this question.
In terms of key length, see keylength.com. You want to make sure you're consistent in the how you're using each primitive.
来源:https://stackoverflow.com/questions/1351453/is-it-safe-to-use-pbkdf2-with-sha256-to-generate-128-bit-aes-keys