I need to use a hash function to generate a 128-bit key for a symmetric cipher.
ID: 651241 • Letter: I
Question
I need to use a hash function to generate a 128-bit key for a symmetric cipher. The specific cipher is from the eStream portofolio, called Rabbit.
I am using the SRP protocol for authentication (a type of EKE protocol). As a result of this, both parties will calculate the same large integer value and need to hash it into a key they can both use.
I would like to use SHA256 to generate the key, but its output is twice the length required.
Can I just truncate the hash to the lower 128 bits or something?
What is usually done in this case?
Explanation / Answer
Short answer: just truncate, it's fine.
Long answer: you want a Key Derivation Function. A KDF turns an arbitrary-sized input (the shared secret obtained from SRP) into a configurable sequence of bytes, which you can split into as many sub-sequences as you need for symmetric cryptography. For instance, SSL/TLS defines a KDF (it calls it "PRF"; see section 5) so that it can extend the "master secret" (the shared secret obtained from whatever key exchange mechanism has been used) into six elements (an encryption key, a MAC key, and an IV, for each tunnel direction).
If you have a "reasonable" hash function such as SHA-256, and your secret data needs an amount of at most the hash output length, then a simple truncation will be an appropriate KDF. (Theoretically, being a good KDF after truncation is not implied by the hash function being appropriately resistant to collisions and preimages, but in practice you will not get any trouble with SHA-256 or SHA-512.)