I am developing a platform that uses several secret keys for several usages: key1 for hashing passwords (using pbkdf2-hmac-sha256), key2 to generate non-repeating unpredictable uuids (using aes-128 and a counter), etc.
Instead of storing different keys, I thought to generate them from a single key, i.e.:
key1 = HMAC(primary_key, "key1");
key2 = HMAC(primary_key, "key2");
...
Is there any critical flaw in doing that? Is this programming pattern common? Generating the keys separately obviously gives a small advantage that there are no mathematical dependencies between the keys. However, from what I understand even if an attacker finds key1 he will not be able to find primary_key or key2, right?
Thanks
Aucun commentaire:
Enregistrer un commentaire