I\'d like to combine a random key file with a password to generate a secure seed

Question

I'd like to combine a random key file with a password to generate a secure seed for a CSPRNG. The key file is assumed to have very high entropy, but the password will be whatever the user provides. What's the best way to combine the two in order to seed the PRNG? The goal of course is that the output of the PRNG will be difficult to predict unless you have both the key file and the password.

My first thought it to simply use PBKDF-2 to stretch the password so it's the same size as the key file, then XOR them together. I won't be transmitting this seed or anything, so I don't think it matters that this in itself is poor encryption. But are there any other considerations I should make?

I will most likely be using AES in counter mode for the PRNG, but an answer covering a more generic case would be appreciated. Also, I'm assuming that the key file is the same size as the seed that the PRNG will take.

Explanation / Answer

If your password has a low entropy (or "could have a low entropy") and the "key file" is assumed to be known to an attacker, you really need some key stretching like PBKDF-2, bcrypt or scrypt with a suitable work factor to detain possible attackers.

As these functions also have a salt input, and you actually have another entropy source (the key file), I would use the key file as the salt input and the password as the key input to these schemes, and produce an output of suitable size for your CSPRNG seed.

I suppose the same scheme is also secure when only the password is known (and not the keyfile used as salt), though this is not a direct design goal of these password hashing schemes.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.