generating N keys from a single passphrase

[psranga]

A common technique to generate two 256-bit keys (e.g., one for signing and one for encryption) is to compute PBKDF using SHA512 and use the two halves of the 512-bit output as the two keys.

What if I wanted to generate N such keys? It should not be possible to derive any of the keys even given the other N-1 keys. Would a procedure like the following work?

Basically call PBKDF2 to generate each key, with a salt deterministically derived from the index of the key to be generated.

function generate_key(password, i) /* generate the i-th key */ {
  return sjcl.misc.pbkdf2(password, i.toString() /* salt */);
}

I understand this can be a slow process. I'm ok with that.

[lgarron]

One reasonable way is to select a random key, and then feed a bunch of unique values through a PRF (e.g. HMAC) with that key.

PBKDF2 can generate a long output, but I understand that this has never been a strong point for PBKDF2, and there are some concerns with the process. (I don't want to describe them, because I haven't verified them myself.)

[Nilos]

You could also just generate N keys and encrypt their data with your pbkdf2 generated key.