KDF master key length

[KevinRoebert]

In the documentation for libsodium < 1.0.12 there exist an example to derive a subkey with the crypto_generichash_blake2b_salt_personal function. This example uses a 64 byte master key.

The wrapper for KDF in libsodium >= 1.0.12 uses only 32 bytes for the master key:

libsodium/src/libsodium/include/sodium/crypto_kdf_blake2b.h

Line 29 in 70c2796

#define crypto_kdf_blake2b_KEYBYTES 32

Is this intended and safe? Why uses the old example 64 bytes and the wrapper only 32 bytes for the master key?

[KevinRoebert]

A follow-up question: is it safe to build a key hierarchy with this KDF feature? In other words, to generate several second-level key-derivation keys from a master key and from these then the final keys for the encryption as described in "5. Key Hierarchy" in NIST SP 800-108r1? Is there a maximum depth for such a hierarchy?

[KevinRoebert]

@jedisct1 Any information on this?

[jedisct1]

512 bits is the maximum key length supported bu the BLAKE2b function. The purpose of this example was to show that the master key and derived keys can have different sizes. But unless they are not uniformly sampled, 512 bit keys are useless, and 256 bits is more than enough.

The maximum depth should be the same as the cycle length. With 256 bit keys, it's over 2^127, which really means that there is no practical limits. With 128 bit keys, it's over 2^63.