Key Derivation: Choosing the Right Hash

TL;DR

Automatically select a strong hash function for key derivation based on your system’s capabilities and security needs. This guide shows how to check available algorithms, prioritise them, and implement selection logic in your code.

1. Understand Key Derivation & Hash Functions

Key derivation transforms a secret (like a password) into one or more cryptographic keys. Hash functions are essential components of key derivation because they provide a one-way function – easy to compute the hash from the input, but extremely difficult to reverse engineer the input from the hash.

Different hash functions have different strengths and weaknesses. Modern systems should use algorithms like SHA-256 or SHA-384, avoiding older ones like MD5 or SHA-1 which are known to be vulnerable.

2. Check Available Hash Algorithms

First, determine which hash functions your system supports. The method varies depending on the programming language and operating system.

Python Example

import hashlib
print(hashlib.algorithms_available())

This will print a list of available algorithms. Look for SHA256, SHA384, BLAKE2b, etc.

OpenSSL (Command Line)

openssl list -digest-algorithms | grep SHA

This command lists all SHA hash algorithms supported by OpenSSL.

3. Prioritise Hash Algorithms

Create a priority order for your hash functions, based on security and performance. A typical order might be:

1. BLAKE2b (fastest & most secure where available)
2. SHA-384
3. SHA-256
4. SHA-1 (avoid if possible, use only as a last resort)

Consider the following when prioritising:

• Security: Choose algorithms resistant to collision attacks and pre-image attacks.
• Performance: Faster algorithms are preferable, especially for large datasets or frequent key derivation.
• Availability: Ensure the algorithm is widely supported across different platforms.

4. Implement Algorithm Selection Logic

Write code to iterate through your priority list and select the first available hash function.

Python Example

import hashlib

def get_strongest_hash():
  algorithms = ['blake2b', 'sha384', 'sha256'] # Your priority list
  for algorithm in algorithms:
    try:
      hashlib.new(algorithm)
      return algorithm
    except ValueError:
      pass # Algorithm not available
  return None # No suitable algorithm found

hash_function = get_strongest_hash()
if hash_function:
  print(f'Using hash function: {hash_function}')
else:
  print('No supported hash functions found!')

This code attempts to create a hash object for each algorithm in the list. If successful, it returns the algorithm name; otherwise, it continues to the next one.

5. Use the Selected Hash Function

Once you’ve selected the hash function, use it within your key derivation process (e.g., using PBKDF2, scrypt, or Argon2). The exact implementation depends on the chosen key derivation function.

Python Example (using PBKDF2)

import hashlib
import os

def derive_key(password, salt):
  hash_function = get_strongest_hash()
  if not hash_function:
    raise Exception('No supported hash functions found!')
  dk = hashlib.pbkdf2_hmac(
      'sha256', 
      password.encode('utf-8'), 
      salt, 
      100000 # Number of iterations
  )
  return dk

This example uses PBKDF2 with the selected hash function to derive a key from a password and salt.

6. Testing & Monitoring

• Test thoroughly: Verify that your algorithm selection logic works correctly on different systems.
• Regularly update: Keep your libraries up-to-date to benefit from security improvements and new algorithms.
• Monitor for vulnerabilities: Stay informed about potential weaknesses in hash functions and adjust your priority list accordingly.