Securely distributing passwords and salts that will be derived by client programs


I am creating a client-server architecture running on top of the KCP protocol in Go. The package for KCP that I’m using is KCP-Go (https://github.com/xtaci/kcp-go). The package supports packet-level encryption and FEC. To use the packet-level encryption feature, I need to generate an AES key. Following the latest OWASP recommendations for securely storing passwords and keys, this is what I’ve done thus far:

  • I have generated a 64-byte password and salt.
  • I pass that to PBKDF2, using (600000 * num_cpus) rounds, and requesting a 32-byte key.

Now I am wondering how to exactly securely distribute this key. At this time, I start up another TCP server and allow clients to connect. When they do, I send them the password, salt, number of iterations, and checksum hashes for those three to ensure they’re not tampered with, and allow the client to perform key derivation. My question is: Is this method of distribution actually secure, or should I find some other way (i.e. using public keys)? If there is a more secure method to allow clients and the server to communicate, what should I do instead? I should note that when clients and servers send messages to one another a hash of the message is included along with the message to allow clients to verify the messages validity (I’m using SHAKE256). The hash funciton used during key derivation is BLAKE2B (though I have thought about using Argon2).