Is it safe to use PBKDF2 with SHA256 to generate 128-bit AES keys?

Question

Is it safe to use PBKDF2 with SHA256 to generate 128-bit AES keys?

I want to use PBKDF2 with some cryptographic hash function to generate 128-bit AES keys. SHA1 is also 128-bit, so I thought about using this with PBKDF2, but it was broken, so I decided to use SHA256. Is it safe, or does the difference between the hash size and the resulting key size cause some catastrophic silent truncation that will make the AES keys weak? Should I just generate 256-bit keys for AES?

+3

security cryptography encryption aes sha256

greg Aug 29 '09 at 13:32

source share

1 answer

Jeff moser · Accepted Answer · 2009-08-29T14:12:22+0000

While SHA-1 is broken, most intelligent systems use only HMAC , which is stronger and probably still great . However, newer protocols, such as TLS 1.2 , use at least SHA -256 for their pseudo-random function (PRF).

You should trim the result to the size you need (as most PRF does). Some previous discussions are available on this subject .

In terms of key length, see keylength.com . You want to make sure that you agree on how you use each primitive.

Is it safe to use PBKDF2 with SHA256 to generate 128-bit AES keys?

More articles: