Key generation and derivation

Cryptographic keys are the input parameters to many cryptographic operations, namely en-/decryption and signatures. This HOWTO will show you how to create keys from passwords, and how to derive multiple keys from one master key.

Cryptographic keys can be obtained by two methods:

  • by generating a key from random data (e.g. SecureRandom)
  • by deriving the key from other data (input key material)

Key Generation

Cryptographic keys can be generated by using a random number generator (RNG). Cryptographic keys should always be generated by using a key derivation function.

graph LR; RNG(fa:fa-cog RNG) --> KDF[fa:fa-cog Key Derivation Function] KDF --> K(fa:fa-key Key) K -.-> AES[fa:fa-cog AES]

Key Derivation

The words password and cryptographic key are often used interchangeably, although they are technically quite different.

A password is a sequence of characters of often arbitrary length. A cryptographic key is a binary object that has an algorithm specific structure to it.

graph LR; P(Password) --> PBKDF[fa:fa-cog Password based Key Derivation Function] S(Salt) --> PBKDF PBKDF --> K(fa:fa-key Key) K -.-> AES[fa:fa-cog AES]
graph LR; MK(fa:fa-key Masterkey) --> KDF[fa:fa-cog Key Derivation Function] S(Salt) --> KDF ID(Context + SubKey ID) --> KDF KDF --> SK(fa:fa-key Subkey) SK -.-> AES[fa:fa-cog AES]

Details

  • Derive more keys from a key

    • For many use cases it is desirable to derive multiple keys from one master key. This not only increases security, it also greatly simplifies key management.

  • From password to key

    • The process of deriving a cryptographic key from a password is called password based key derivation. Because passwords are often to short/predictable this derivation often also implements some kind of key strengthening or key stretching.

Further Reading