Let's say I would like to have "password-derived-bytes" as AES key.
For example, I have a password "topsecret", I do calculate SHA-1 hash for it (160bit) and I want to feed those bytes as key for AES-128.
Should I just truncate after 128 bits or do some kind of folding?
What about AES-256? Should I repeat bytes, pad with 0's or do some "unfolding" operation?
I know that in the later case security remains at 160-bit because the pool of 256-bit passwords is reduced to 2^160 possible combinations, but I'm just trying to overcome technical limitation (no AES-160).
What theory says?
(No, using MD5 for 128-bit and SHA-256 for 256-bit long hashes is not an option)
A typical password only has a few dozen bits of entropy, and running a password through a hash function does not add any entropy to it. Therefore, such keys are easily attacked using a dictionary or brute force.
The most commonly accepted solution is to make the hash function very slow. Algorithms designed for this are called "password-based key derivation functions". PBKDF2 and bcrypt are among the most popular ones.
Theory says that it does not matter. You can pad with 0's, you can pad by repeating, etc. The amount of entropy in your result is the same - it's equally hard to brute force.
As for truncating it to 128 bits, it doesn't matter how you truncate it - all the bytes of the hash output are generally considered equally random and uncorrelated. There is no "more entropic" side or something.
So, technically, do as you will - you remain as strong as your password.