PBKDF2

In cryptography, PBKDF1 and PBKDF2 (Password-Based Key Derivation Function 1 and 2) are key derivation functions with a sliding computational cost, used to reduce vulnerability to brute-force attacks.[1]

PBKDF2 is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It supersedes PBKDF1, which could only produce derived keys up to 160 bits long.[2] RFC 8018 (PKCS #5 v2.1), published in 2017, recommends PBKDF2 for password hashing.[3]

Purpose and operation

PBKDF2 applies a pseudorandom function, such as hash-based message authentication code (HMAC), to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching.

When the standard was written in the year 2000 the recommended minimum number of iterations was 1,000, but the parameter is intended to be increased over time as CPU speeds increase. A Kerberos standard in 2005 recommended 4,096 iterations;[1] Apple reportedly used 2,000 for iOS 3, and 10,000 for iOS 4;[4] while LastPass in 2011 used 5,000 iterations for JavaScript clients and 100,000 iterations for server-side hashing.[5] In 2023, OWASP recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.[6]

Algorithmic representation of the iterative process of the Password-Based Key Derivation Function 2.

Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The public key cryptography standard recommends a salt length of at least 64 bits.[7] The US National Institute of Standards and Technology recommends a salt length of at least 128 bits.[8]

Key derivation process

The PBKDF2 key derivation function has five input parameters:[9]

DK = PBKDF2(PRF, Password, Salt, c, dkLen)

where:

  • PRF is a pseudorandom function of two parameters with output length hLen (e.g., a keyed HMAC)
  • Password is the master password from which a derived key is generated
  • Salt is a sequence of bits, known as a cryptographic salt
  • c is the number of iterations desired
  • dkLen is the desired bit-length of the derived key
  • DK is the generated derived key

Each hLen-bit block Ti of derived key DK, is computed as follows (with + marking string concatenation):

DK = T1 + T2 + ⋯ + Tdklen/hlen
Ti = F(Password, Salt, c, i)

The function F is the xor (^) of c iterations of chained PRFs. The first iteration of PRF uses Password as the PRF key and Salt concatenated with i encoded as a big-endian 32-bit integer as the input. (Note that i is a 1-based index.) Subsequent iterations of PRF use Password as the PRF key and the output of the previous PRF computation as the input:

F(Password, Salt, c, i) = U1 ^ U2 ^ ⋯ ^ Uc

where:

U1 = PRF(Password, Salt + INT_32_BE(i))
U2 = PRF(Password, U1)
Uc = PRF(Password, Uc−1)

For example, WPA2 uses:

DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)

PBKDF1 had a simpler process: the initial U (called T in this version) is created by PRF(Password + Salt), and the following ones are simply PRF(Uprevious). The key is extracted as the first dkLen bits of the final hash, which is why there is a size limit.[9]

HMAC collisions

PBKDF2 has an interesting property when using HMAC as its pseudo-random function. It is possible to trivially construct any number of different password pairs with collisions within each pair.[10] If a supplied password is longer than the block size of the underlying HMAC hash function, the password is first pre-hashed into a digest, and that digest is instead used as the password. For example, the following password is too long:

  • Password: plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd

therefore, when using HMAC-SHA1, it is pre-hashed using SHA-1 into:

  • SHA1 (hex): 65426b585154667542717027635463617226672a

Which can be represented in ASCII as:

  • SHA1 (ASCII): eBkXQTfuBqp'cTcar&g*

This means regardless of the salt or iterations, PBKDF2-HMAC-SHA1 will generate the same key bytes for the passwords:

  • "plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd"
  • "eBkXQTfuBqp'cTcar&g*"

For example, using:

  • PRF: HMAC-SHA1
  • Salt: A009C1A485912C6AE630D3E744240B04
  • Iterations: 1,000
  • Derived key length: 16 bytes

The following two function calls: 

PBKDF2-HMAC-SHA1("plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd", ...)
PBKDF2-HMAC-SHA1("eBkXQTfuBqp'cTcar&g*", ...)

will generate the same derived key bytes (17EB4014C8C461C300E9B61518B9A18B). These derived key collisions do not represent a security vulnerability – as one still must know the original password in order to generate the hash of the password.[11]

Alternatives to PBKDF2

One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using application-specific integrated circuits or graphics processing units relatively cheap.[12] The bcrypt password hashing function requires a larger amount of RAM (but still not tunable separately, i.e. fixed for a given amount of CPU time) and is significantly stronger against such attacks,[13] while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.[12]

In 2013, the Password Hashing Competition (PHC) was held to develop a more resistant approach. On 20 July 2015 Argon2 was selected as the final PHC winner, with special recognition given to four other password hashing schemes: Catena, Lyra2, yescrypt and Makwa.[14] Another alternative is Balloon hashing, which is recommended in NIST password guidelines.[15]

To limit a brute-force attack, it is possible to make each password attempt require an online interaction, without harming the confidentiality of the password. This can be done using an oblivious pseudorandom function to perform password-hardening.[16] This can be done as alternative to, or as an additional step in, a PBKDF.

See also

References

  1. ^ a b Raeburn, Kenneth (2005). "Advanced Encryption Standard (AES) Encryption for Kerberos 5". tools.ietf.org. doi:10.17487/RFC3962. RFC 3962. Retrieved October 23, 2015.
  2. ^ Kaliski, Burt (2000). "PKCS #5: Password-Based Cryptography Specification, Version 2.0". tools.ietf.org. doi:10.17487/RFC2898. RFC 2898. Retrieved October 23, 2015.
  3. ^ Moriarty, Kathleen; et al. (2017). Moriarty, K (ed.). "PKCS #5: Password-Based Cryptography Specification, Version 2.1". tools.ietf.org. doi:10.17487/RFC8018. RFC 8018.
  4. ^ "Smartphone Forensics: Cracking BlackBerry Backup Passwords". Advanced Password Cracking – Insight. ElcomSoft. September 30, 2010. Retrieved October 23, 2015.
  5. ^ "LastPass Security Notification". The LastPass Blog. May 5, 2011. Retrieved January 31, 2023.
  6. ^ "Password Storage Cheat Sheet". OWASP Cheat Sheet Series. August 15, 2021. Archived from the original on January 23, 2023. Retrieved January 23, 2023.
  7. ^ Moriarty, Kathleen; et al. (2017). Moriarty, K (ed.). "PKCS #5: Password-Based Cryptography Specification, Version 2.1: Section 4. Salt and Iteration Count". tools.ietf.org. doi:10.17487/RFC8018. RFC 8018. Retrieved January 24, 2018.
  8. ^ Sönmez Turan, Meltem; Barker, Elaine; Burr, William; Chen, Lily. "Recommendation for Password-Based Key Derivation Part 1: Storage Applications" (PDF). NIST. SP 800-132. Retrieved December 20, 2018.
  9. ^ a b Password-Based Cryptography Specification RFC 2898
  10. ^ Bynens, Mathias. "PBKDF2+HMAC hash collisions explained". mathiasbynens.be.
  11. ^ "Collision resistance - Why is HMAC-SHA1 still considered secure?". crypto.stackexchange.com.
  12. ^ a b Colin Percival. scrypt. As presented in "Stronger Key Derivation via Sequential Memory-Hard Functions". presented at BSDCan'09, May 2009.
  13. ^ "New 25 GPU Monster Devours Passwords In Seconds". The Security Ledger. December 4, 2012. Retrieved September 7, 2013.
  14. ^ "Password Hashing Competition"
  15. ^ "Digital Identity Guidelines Authentication and Lifecycle Management Section 5.1.1.2" (PDF). NIST. SP 800-63B. Retrieved June 18, 2021.
  16. ^ Ford, W.; Kaliski, B. S. (2000). "Server-assisted generation of a strong secret from a password". Proceedings IEEE 9th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE 2000). pp. 176–180. doi:10.1109/ENABL.2000.883724. ISBN 0-7695-0798-0. S2CID 1977743.

Read other articles:

Kochi

Metropolis in Kerala, India This article is about the city in India. For the city in Japan, see Kōchi, Kōchi. For the Japanese prefecture, see Kōchi Prefecture. For other uses, see Kochi (disambiguation). Cochin redirects here. For other uses, see Cochin (disambiguation). Metropolis in Kerala, IndiaKochi CochimCochinMetropolisMarine DriveInfopark Phase IChinese fishing netsHill Palace MuseumKochi International MarinaQueen's WayBolgatty PalaceSkyline of Kochi from Cochin ShipyardNickname:&#...

 

Akademi Seni Budaya dan Warisan Kebangsaan

Artikel ini perlu dikembangkan agar dapat memenuhi kriteria sebagai entri Wikipedia.Bantulah untuk mengembangkan artikel ini. Jika tidak dikembangkan, artikel ini akan dihapus. Artikel ini tidak memiliki referensi atau sumber tepercaya sehingga isinya tidak bisa dipastikan. Tolong bantu perbaiki artikel ini dengan menambahkan referensi yang layak. Tulisan tanpa sumber dapat dipertanyakan dan dihapus sewaktu-waktu.Cari sumber: Akademi Seni Budaya dan Warisan Kebangsaan – berit...

 

عبد العزيز المقالح

عبد العزيز المقالح معلومات شخصية الميلاد سنة 1937   المقالح  الوفاة 28 نوفمبر 2022 (84–85 سنة)[1]  صنعاء  مواطنة الجمهورية العربية اليمنية (1962–1990) اليمن (1990–2022)  عضو في مجمع اللغة العربية بدمشق،  ومجمع اللغة العربية بالقاهرة،  ومركز دراسات الوحدة العربية ...

Luka Jović

Luka Jović Informasi pribadiNama lengkap Luka JovićTanggal lahir 23 Desember 1997 (umur 26)Tempat lahir Bijeljina, Bosnia dan HerzegovinaTinggi 182 cm (6 ft 0 in)Posisi bermain PenyerangInformasi klubKlub saat ini AC MilanNomor 15Karier junior2005–2014 Red Star BelgradeKarier senior*Tahun Tim Tampil (Gol)2014–2016 Red Star Belgrade 48 (13)2016–2017 Benfica B 18 (4)2016–2019 Benfica 4 (0)2017–2019 → Eintracht Frankfurt (pinjaman) 75 (36)2019–2022 Real Madri...

 

Takao Saito

Japanese manga and gekiga artist (1936–2021) For the Japanese cinematographer, see Takao Saito (cinematographer). For the Japanese politician, see Saitō Takao (politician). Takao SaitoSaito in 2017Born(1936-11-03)November 3, 1936Wakayama Prefecture, JapanDiedSeptember 24, 2021(2021-09-24) (aged 84)OccupationManga artistYears active1955–2021Known forGolgo 13AwardsShogakukan Manga Award (1976, 2005)Japan Cartoonists Association Award (2002)Medal with Purple Ribbon (2003)Orde...

 

Jangsu County

Jangsu redirects here. For the king of the ancient Korean kingdom of Goguryeo, see Jangsu of Goguryeo. For the province in China, see Jiangsu. This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Jangsu County – news · newspapers · books · scholar · JSTOR (August 2018) (Learn how and when to remove this template ...

Luige

Borough in Estonia This article is about the small borough in Kiili Parish, Harju County. For the village in Põltsamaa Parish, Jõgeva County, see Luige, Jõgeva County. Small borough in Harju County, EstoniaLuigeSmall boroughLuigeLocation in EstoniaCoordinates: 59°19′38″N 24°46′16″E / 59.32722°N 24.77111°E / 59.32722; 24.77111Country EstoniaCounty Harju CountyMunicipality Kiili ParishPopulation (2011 Census[1]) • Total1,280 L...

 

Léon Croizat

Italian botanist (1894–1982) Léon Croizat (1964) Léon CroizatBornLeon Croizat(1894-07-16)16 July 1894Died30 November 1982(1982-11-30) (aged 88) Léon Camille Marius Croizat (16 July 1894 – 30 November 1982) was a French-Italian scholar and botanist who developed an orthogenetic synthesis of the evolution of biological form over space, in time, which he called panbiogeography. Life Croizat was born in Torino, Italy to Vittorio Croizat (aka Victor Croizat) and Maria (Marie) Chaley, w...

 

Tatai Wildlife Sanctuary

Tatai Wildlife Sanctuaryដែនជម្រកសត្វព្រៃតាតៃLocation in CambodiaShow map of CambodiaTatai Wildlife Sanctuary (Southeast Asia)Show map of Southeast AsiaLocationKoh Kong provinceCoordinates11°11′31″N 103°28′35″E / 11.1920°N 103.4764°E / 11.1920; 103.4764Area1,442.75 km2 (557.05 sq mi)Established9 May 2016Governing bodyMinistry of Environment (Cambodia) Tatai Wildlife Sanctuary (Khmer: ដែនជម...

UFC 176

UFC mixed martial arts event in 2014 UFC 176: Aldo vs. Mendes IIThe poster for UFC 176: Aldo vs. Mendes IIInformationPromotionUltimate Fighting ChampionshipDateAugust 2, 2014 (cancelled)VenueStaples CenterCityLos Angeles, CaliforniaEvent chronology UFC on Fox: Lawler vs. Brown UFC 176: Aldo vs. Mendes II UFC Fight Night: Bader vs. Saint Preux UFC 176: Aldo vs. Mendes II was a planned mixed martial arts event that was scheduled to be held by the Ultimate Fighting Championship on August 2, 2014...

 

大字 (数字)

この項目には、一部のコンピュータや閲覧ソフトで表示できない文字が含まれています(詳細)。 数字の大字(だいじ)は、漢数字の一種。通常用いる単純な字形の漢数字(小字)の代わりに同じ音の別の漢字を用いるものである。 概要 壱万円日本銀行券(「壱」が大字) 弐千円日本銀行券(「弐」が大字) 漢数字には「一」「二」「三」と続く小字と、「壱」「�...

 

约翰斯顿环礁

此條目可参照英語維基百科相應條目来扩充。 (2021年5月6日)若您熟悉来源语言和主题,请协助参考外语维基百科扩充条目。请勿直接提交机械翻译,也不要翻译不可靠、低品质内容。依版权协议,译文需在编辑摘要注明来源,或于讨论页顶部标记{{Translated page}}标签。 约翰斯顿环礁Kalama Atoll 美國本土外小島嶼 Johnston Atoll 旗幟颂歌:《星條旗》The Star-Spangled Banner約翰斯頓環礁�...

Державний комітет телебачення і радіомовлення України

Державний комітет телебачення і радіомовлення України (Держкомтелерадіо) Приміщення комітетуЗагальна інформаціяКраїна  УкраїнаДата створення 2003Керівне відомство Кабінет Міністрів УкраїниРічний бюджет 1 964 898 500 ₴[1]Голова Олег НаливайкоПідвідомчі ор...

 

Bradley Zimmer

American baseball player (born 1992) Baseball player Bradley ZimmerZimmer with the Cleveland Indians in 2020Free agent Center fielderBorn: (1992-11-27) November 27, 1992 (age 31)San Diego, California, U.S.Bats: LeftThrows: RightMLB debutMay 16, 2017, for the Cleveland IndiansMLB statistics (through 2022 season)Batting average.213Home runs21Runs batted in91 Teams Cleveland Indians (2017–2021) Toronto Blue Jays (2022) Philadelphia Phillies (2022) Toronto Blue Jays (2022) B...

 

Fox's Glacier Mints

Fox's Glacier Mints Fox's Glacier Mints are a brand of boiled mint sold in the UK since 1918 and now manufactured by Valeo Confectionery.[1] History Background Walter Richard Fox, the founder of Fox's Confectionery, originally manufactured sweets as part of the Joyce and Fox partnership, but this was dissolved in 1897. Fox continued to make confectionery, and was joined in 1914 by his son Eric.[2] Product creation and development Glacier Mints were first created in 1918 by Eri...

Copa Mundial de Fútbol de 1962

Copa Mundial de Fútbol de 1962 Brasil se consagró campeón del mundo.Datos generalesSede Chile ChileNombre completo Campeonato Mundial de Fútbol - Copa Jules Rimet Chile 1962Asociación FIFAFecha 1962Fecha de inicio 30 de mayoFecha de cierre 17 de junioEdición VIIOrganizador FIFAPalmarésCampeón Brasil (2.º título)Subcampeón ChecoslovaquiaTercero ChileCuarto YugoslaviaDatos estadísticosAsistentes 893 172 (27 912 por partido)Participantes 16 (de 56 participantes)Partidos 32Goles ...

 

Lingue indoeuropee

Lingue indoeuropeeParlato inParti dell'Eurasia (prima del XVI secolo)Parti di tutti i continenti (epoca contemporanea) TassonomiaFilogenesiLingua protoindoeuropea Codici di classificazioneISO 639-2ine ISO 639-5ine Linguist Listieur (EN) Glottologindo1319 (EN) L'odierna distribuzione (approssimata) delle famiglie linguistiche indoeuropee all'interno delle zone originarie dell'Eurasia:      Albanese      Armena      Balt...

 

Gymnastics at the 1992 Summer Olympics – Women's floor

Women's floorat the Games of the XXV OlympiadMedalists Lavinia Miloșovici  Romania Henrietta Ónodi  Hungary Shannon Miller  United States Cristina Bontaș  Romania Tatiana Gutsu  Unified Team← 19881996 → Gymnastics at the1992 Summer OlympicsList of gymnastsArtisticTeam all-aroundmenwomenIndividual all-aroundmenwomenVaultmenwomenFloormenwomenPommel horsemenRingsmenParallel barsmenHorizontal barmenUneven barswomenBalance beamwomenRhythmicIndividu...

العلاقات النمساوية السورية

العلاقات النمساوية السورية النمسا سوريا   النمسا   سوريا تعديل مصدري - تعديل   العلاقات النمساوية السورية هي العلاقات الثنائية التي تجمع بين النمسا وسوريا.[1][2][3][4][5] مقارنة بين البلدين هذه مقارنة عامة ومرجعية للدولتين: وجه المقارنة النمسا ...

 

Virgin Records

British record label Not to be confused with Virgin Music Group or Virgin Music. Virgin Records LtdParent companyUniversal Music Group (UMG) (2012–present)PreviouslyThorn EMI (1992–1996)EMI (1996–2012)FoundedVirgin Records Ltd.1972; 52 years ago (1972)Virgin Records America, Inc.1986; 38 years ago (1986)FounderRichard BransonSimon DraperNik PowellTom NewmanDistributor(s)EMI (United Kingdom)Virgin Music Group (US)Virgin Music (International)GenreVariou...