zero knowledge architecture

Question

I would like to encrypt some user data with the zero-knowledge architecture. I reference the implementation of the bitwarden and don't understand some parts.

First, I would like to use the the argon2 to derive the key instead of pbkdf2, since it seems like argon2 is more secure since it resists parallel brute force.

Second, what is the purpose of HKDF to stretch the master key(256bit) to 512bit, why cannot use the master key to encrypt the generated symmetric key directly?

Third, can I use the master key to encrypt the user data directly instead of generating a new symmetric key and use it to encrypt the user data?

Fourth, why the master password hash is created by just 1 iteration, instead of 100,000?

Answer 1

Based on my understanding, here are my answers:

1. I don’t see why that would cause a problem.
2. Not sure why they exactly do this either. Perhaps a reason could be to increase the entropy even further? Maybe they wanted to avoid encrypting with the same key as is hashed in the database to avoid leaking information?
3. Probably, they were thinking that because the master password (used as the salt) is private, an attacker would have to brute force that which would take enough time anyway. For the attacker to brute force the hash, they need to test every possible salt. For a long and complex password this may be enough security. However, on the server, the salt is stored next to the hash, therefore the attacker would have access to the salt if they have the hash. In that case, s/he wouldn’t need to brute force the salt, hence higher iterations are needed. Also, it may be a smaller attack vector then the storage on the server because the 1-iteration hash is only used in transit for small amount of time.

I am not fully sure about their reasons but I believe that these could be some possibilities.

Answer 2

Coming in late to this, but I had similar questions. I'll respond with what I've learned, but there's still more I don't know.

1. Argon2 is preferred nowadays and BitWarden themselves now support that as an alternative for the key derivation.
2. This is what I came to ask about and I still have no idea.
3. You could. I believe the value in having the data encryption key separate from the master symmetric key is being able to either a) change your password without re-encrypting everything in the vault, or b) being able to rotate your encryption keys without changing your master password.
4. I believe this is because the password-cracking defense has already been done in the original master key derivation function. There's no need to make that additionally challenging because it will be easier to try to brute force guessing the password with 100k iterations than the 256-bit random key with the 1 iteration. However, since they need a unique hash to send to the database and they don't want that to be the raw master key itself, I think they just quickly hash using the same algorithm.