Using SHA-1 hash as AES key

2019-05-27 12:09发布

问题:

Let's say I would like to have "password-derived-bytes" as AES key. For example, I have a password "topsecret", I do calculate SHA-1 hash for it (160bit) and I want to feed those bytes as key for AES-128.

Should I just truncate after 128 bits or do some kind of folding? What about AES-256? Should I repeat bytes, pad with 0's or do some "unfolding" operation?

I know that in the later case security remains at 160-bit because the pool of 256-bit passwords is reduced to 2^160 possible combinations, but I'm just trying to overcome technical limitation (no AES-160).

What theory says? (No, using MD5 for 128-bit and SHA-256 for 256-bit long hashes is not an option)

回答1:

A typical password only has a few dozen bits of entropy, and running a password through a hash function does not add any entropy to it. Therefore, such keys are easily attacked using a dictionary or brute force.

The most commonly accepted solution is to make the hash function very slow. Algorithms designed for this are called "password-based key derivation functions". PBKDF2 and bcrypt are among the most popular ones.



回答2:

Theory says that it does not matter. You can pad with 0's, you can pad by repeating, etc. The amount of entropy in your result is the same - it's equally hard to brute force.

As for truncating it to 128 bits, it doesn't matter how you truncate it - all the bytes of the hash output are generally considered equally random and uncorrelated. There is no "more entropic" side or something.

So, technically, do as you will - you remain as strong as your password.