To derive the i
th block, PBKDF2 runs the full key derivation, with i
concatenated to the salt. So to get your 21st byte, it simply runs the derivation again, with a different effective salt, resulting in completely different output. This means deriving 21 bytes is twice as expensive as deriving 20 bytes.
I recommend against using PBKDF2 to derive more than the natural output size/size of the underlying hash. Often this only slows down the defender, and not the attacker.
I'd rather run PBKDF2
once to derive a single master key, and then use HKDF to derive multiple secrets from it. See How to salt PBKDF2, when generating both an AES key and a HMAC key for Encrypt then MAC? on crypto.SE