salt vs. iv for PKCS5_PBKDF2_HMAC

Question

Understanding that PKCS5_PBKDF2_HMAC() requires a salt and gives back a derivedKey

And that GCM<AES>::Encryption.SetKeyWithIV() requires an iv (along with the derivedKey)

Is it safe to use the same value for salt (in PKCS5_PBKDF2_HMAC()) and iv (in GCM<AES>::Encryption.SetKeyWithIV()) - or should they be different?

Answer 1

Is it safe to use the same value for salt (in PKCS5_PBKDF2_HMAC()) and iv (in GCM::Encryption.SetKeyWithIV()) - or should they be different?

Yes and no. Yes - you can use the output of PKCS5_PBKDF2_HMAC to generate a salt, iv or key. No - you should not reuse parameters like that.

Often, you do something like below. It uses unique labels, so derived parameters cannot be the same.

string password = "super secret password;
string label = "Key derivation with IV";
size_t length = password.length() + label.length();
unsigned int count = 5000;

SecByteBlock key(32 /*Key*/ + 16 /*IV*/);

PKCS5_PBKDF2_HMAC<SHA1> pbkdf2;
pbkdf2.DeriveKey(key, key.size(), 0, (unsigned char*)(password + label).data(), length,
    NULL /*salt*/, 0 /*salt length*/, count);

GCM<AES>::Encryption encryptor;
encryptor.SetKeyWithIV(key, 32, key+32, 16);

The label above help makes the derivation unique.

If you derive for a salt, your label might be "Salt derivation for X". In this case, you will get different values from the KDF.

In the above, its OK to apply the KDF twice. First, apply it with no salt to create a salt (using a unique label). Second, using the salt to derive a key and iv (using the previous generated salt and a unique label).