PBKDF2

From Wikipedia, the free encyclopedia
Jump to: navigation, search

PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.[1]

Purpose and operation[edit]

PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching.

When the standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. As of 2005 a Kerberos standard recommended 4096 iterations,[2] Apple iOS 3 used 2000, iOS 4 used 10000,[3] while in 2011 LastPass used 5000 iterations for JavaScript clients and 100000 iterations for server-side hashing.[4]

Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.

Key derivation process[edit]

The PBKDF2 key derivation function has five input parameters:

DK = PBKDF2(PRF, Password, Salt, c, dkLen)

where:

  • PRF is a pseudorandom function of two parameters with output length hLen (e.g. a keyed HMAC)
  • Password is the master password from which a derived key is generated
  • Salt is a sequence of bits, known as a cryptographic salt
  • c is the number of iterations desired
  • dkLen is the desired length of the derived key
  • DK is the generated derived key

Each hLen-bit block Ti of derived key DK, is computed as follows:

DK = T1 || T2 || ... || Tdklen/hlen
Ti = F(Password, Salt, c, i)

The function F is the xor (^) of c iterations of chained PRFs. The first iteration of PRF uses Password as the PRF key and Salt concatenated with i encoded as a big-endian 32-bit integer. (Note that i is a 1-based index.) Subsequent iterations of PRF use Password as the PRF key and the output of the previous PRF computation as the salt:

F(Password, Salt, c, i) = U1 ^ U2 ^ ... ^ Uc

where:

U1 = PRF(Password, Salt || INT_32_BE(i))
U2 = PRF(Password, U1)
...
Uc = PRF(Password, Uc-1)

For example, WPA2 uses:

 DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)

Alternatives to PBKDF2[edit]

One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using ASICs or GPUs relatively cheap.[5] The bcrypt key derivation function requires a larger (but still fixed) amount of RAM and is slightly stronger against such attacks,[6] while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.[5]

In 2013, a Password Hashing Competition was held to develop a more resistant approach. On 20 July 2015 Argon2 was selected as the final PHC winner, with special recognition given to four other password hashing schemes: Catena, Lyra2, yescrypt and Makwa.[7]

See also[edit]

References[edit]

  1. ^ <bkaliski@rsasecurity.com>, Burt Kaliski. "PKCS #5: Password-Based Cryptography Specification Version 2.0". tools.ietf.org. Retrieved 2015-10-23. 
  2. ^ Kenneth Raeburn. "Advanced Encryption Standard (AES) Encryption for Kerberos 5". tools.ietf.org. Retrieved 2015-10-23. 
  3. ^ "Smartphone Forensics: Cracking BlackBerry Backup Passwords". Advanced Password Cracking – Insight (ElcomSoft). Retrieved 2015-10-23. 
  4. ^ "LastPass Security Notification". The LastPass Blog. Retrieved 2015-10-23. 
  5. ^ a b Colin Percival. scrypt. As presented in "Stronger Key Derivation via Sequential Memory-Hard Functions". presented at BSDCan'09, May 2009.
  6. ^ "New 25 GPU Monster Devours Passwords In Seconds". The Security Ledger. 2012-12-04. Retrieved 2013-09-07. 
  7. ^ "Password Hashing Competition"

External links[edit]