TL;DR
Automatically select a strong hash function for key derivation based on your system’s capabilities and security needs. This guide shows how to check available algorithms, prioritise them, and implement selection logic in your code.
1. Understand Key Derivation & Hash Functions
Key derivation transforms a secret (like a password) into one or more cryptographic keys. Hash functions are essential components of key derivation because they provide a one-way function – easy to compute the hash from the input, but extremely difficult to reverse engineer the input from the hash.
Different hash functions have different strengths and weaknesses. Modern systems should use algorithms like SHA-256 or SHA-384, avoiding older ones like MD5 or SHA-1 which are known to be vulnerable.
2. Check Available Hash Algorithms
First, determine which hash functions your system supports. The method varies depending on the programming language and operating system.
Python Example
import hashlib
print(hashlib.algorithms_available())This will print a list of available algorithms. Look for SHA256, SHA384, BLAKE2b, etc.
OpenSSL (Command Line)
openssl list -digest-algorithms | grep SHAThis command lists all SHA hash algorithms supported by OpenSSL.
3. Prioritise Hash Algorithms
Create a priority order for your hash functions, based on security and performance. A typical order might be:
- BLAKE2b (fastest & most secure where available)
- SHA-384
- SHA-256
- SHA-1 (avoid if possible, use only as a last resort)
Consider the following when prioritising:
- Security: Choose algorithms resistant to collision attacks and pre-image attacks.
- Performance: Faster algorithms are preferable, especially for large datasets or frequent key derivation.
- Availability: Ensure the algorithm is widely supported across different platforms.
4. Implement Algorithm Selection Logic
Write code to iterate through your priority list and select the first available hash function.
Python Example
import hashlib
def get_strongest_hash():
algorithms = ['blake2b', 'sha384', 'sha256'] # Your priority list
for algorithm in algorithms:
try:
hashlib.new(algorithm)
return algorithm
except ValueError:
pass # Algorithm not available
return None # No suitable algorithm found
hash_function = get_strongest_hash()
if hash_function:
print(f'Using hash function: {hash_function}')
else:
print('No supported hash functions found!')This code attempts to create a hash object for each algorithm in the list. If successful, it returns the algorithm name; otherwise, it continues to the next one.
5. Use the Selected Hash Function
Once you’ve selected the hash function, use it within your key derivation process (e.g., using PBKDF2, scrypt, or Argon2). The exact implementation depends on the chosen key derivation function.
Python Example (using PBKDF2)
import hashlib
import os
def derive_key(password, salt):
hash_function = get_strongest_hash()
if not hash_function:
raise Exception('No supported hash functions found!')
dk = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt,
100000 # Number of iterations
)
return dkThis example uses PBKDF2 with the selected hash function to derive a key from a password and salt.
6. Testing & Monitoring
- Test thoroughly: Verify that your algorithm selection logic works correctly on different systems.
- Regularly update: Keep your libraries up-to-date to benefit from security improvements and new algorithms.
- Monitor for vulnerabilities: Stay informed about potential weaknesses in hash functions and adjust your priority list accordingly.