||This article has an unclear citation style. (December 2012)|
PBKDF2 (Password-Based Key Derivation Function 2) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.
Purpose and operation
PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching.
Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.
Key derivation process
The PBKDF2 key derivation function has five input parameters:
DK = PBKDF2(PRF, Password, Salt, c, dkLen)
- PRF is a pseudorandom function of two parameters with output length hLen (e.g. a keyed HMAC)
- Password is the master password from which a derived key is generated
- Salt is a sequence of bits, known as a cryptographic salt
- c is the number of iterations desired
- dkLen is the desired length of the derived key
- DK is the generated derived key
Each hLen-bit block Ti of derived key DK, is computed as follows:
DK = T1 || T2 || ... || Tdklen/hlen Ti = F(Password, Salt, c, i)
The function F is the xor (^) of c iterations of chained PRFs. The first iteration of PRF uses Password as the PRF key and Salt concatenated with i encoded as a big-endian 32-bit integer. (Note that i is a 1-based index.) Subsequent iterations of PRF use Password as the PRF key and the output of the previous PRF computation as the salt:
F(Password, Salt, c, i) = U1 ^ U2 ^ ... ^ Uc
U1 = PRF(Password, Salt || INT_32_BE(i)) U2 = PRF(Password, U1) ... Uc = PRF(Password, Uc-1)
For example, WPA2 uses:
DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)
- openssl's C implementation
- OpenBSD's C implementation
- PolarSSL's C implementation
- CyaSSL's C implementation
- ActionScript 3.0 implementation
- .NET's built-in function
- C# implementation
- Delphi/Free Pascal implementation
- Erlang implementation
- Go implementation
- PBKDF2 for Haxe
- Java implementation (PBKDF2WithHmacSHA1)
- Python implementation
- Perl implementation (large), (small), (tiny), Native Perl Implementation - no dependency hell
- Ruby's standard library
- Ruby implementation
- REBOL2 implementation
- PHP implementations: native (added in v5.5.0), pure PHP implementation
- Scala implementation
- Common Lisp implementation (Ironclad)
Systems that use PBKDF2
- Wi-Fi Protected Access (WPA and WPA2) used to secure Wi-Fi wireless networks
- Microsoft Windows Data Protection API (DPAPI)
- OpenDocument encryption used in OpenOffice.org
- WinZip's AES Encryption scheme.
- Keeper for password hashing.
- LastPass for password hashing.
- 1Password for password hashing.
- Dashlane for password hashing.
- Apple's iOS mobile operating system, for protecting user passcodes and passwords.
- Mac OS X Mountain Lion for user passwords
- The Django web framework, as of release 1.4.
- The MODX content management framework, as of version 2.0.
- The encryption and decryption schema of Zend Framework, to generate encryption and authentication keys.
- Cisco IOS and IOS XE Type 4 password hashes
- Firefox Sync for client-side password stretching
Disk encryption software
- Filesystem encryption in the Android operating system, as of version 3.0.
- FileVault (Mac OS X) from Apple Computer
- FreeOTFE (Windows and Pocket PC PDAs); also supports mounting Linux (e.g. LUKS) volumes under Windows
- LUKS (Linux Unified Key Setup) (Linux)
- TrueCrypt (Windows, Linux, and Mac OS X)
- CipherShed (Windows, Linux, and Mac OS X)
- DiskCryptor (Windows)
- Cryptographic disk (NetBSD)
- GEOM ELI module for FreeBSD
- softraid crypto for OpenBSD
- EncFS (Linux, FreeBSD and Mac OS X) since v1.5.0
- GRUB2 (boot loader)
Alternatives to PBKDF2
One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using ASICs or GPUs relatively cheap. The bcrypt key derivation function requires a larger (but still fixed) amount of RAM and is slightly stronger against such attacks, while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.
- <firstname.lastname@example.org>, Burt Kaliski. "PKCS #5: Password-Based Cryptography Specification Version 2.0". tools.ietf.org. Retrieved 2015-10-23.
- Kenneth Raeburn. "Advanced Encryption Standard (AES) Encryption for Kerberos 5". tools.ietf.org. Retrieved 2015-10-23.
- "Smartphone Forensics: Cracking BlackBerry Backup Passwords". Advanced Password Cracking – Insight (ElcomSoft). Retrieved 2015-10-23.
- "LastPass Security Notification". The LastPass Blog. Retrieved 2015-10-23.
- "Windows Data Protection". NAI Labs, Network Associates, Inc.; Microsoft Corporation. October 2001. Archived from the original on 2007-04-16.
- "AES Coding Tips for Developers". WinZip. 2008-07-21. Retrieved 2013-09-07.
- "BRG Main SIte". Winzip.com. Retrieved 2013-09-07.
- Black, Crystal (2015-03-10). "Keeper: A Fresh Look At Password Management And Data Security". Techaeris. Retrieved 2015-04-16.
- "Security". LastPass: How We Do It. LastPass. Retrieved 2013-06-13.
- "LastPass Security Notification". LastPass. 2011-05-04. Retrieved 2013-06-13.
- "Defending against crackers, PBKDF2". Agilebits, Inc. 2014. Retrieved 2014-11-14.
- "Our security model in a nutshell". Dashlane, Inc. 2014. Retrieved 2014-03-09.
- "Protection of User Data in Dashlane" (PDF). Dashlane Security Whitepaper. Dashlane, Inc. November 2011. Retrieved 2014-03-09.
- iOS security, May 2012, Apple inc.
- "How Django stores passwords". Django 1.4 documentation. 2012-03-23. Retrieved 31 July 2012.
- Encrypt/decrypt using block ciphers, Programmer’s Reference Guide of Zend Framework 2.
- Worldwide. "Cisco Security Response: Cisco IOS and Cisco IOS XE Type 4 Passwords Issue". Tools.cisco.com. Retrieved 2013-09-07.
- Dan Callahan (2014-04-30). "Firefox Sync’s New Security Model". Mozilla Cloud Services. Mozilla. Retrieved 2015-07-16.
- Notes on the implementation of encryption in Android 3.0, September 2012, Android Open Source Project.
- "Header Key Derivation, Salt, and Iteration Count". TrueCrypt User’s Guide. TrueCrypt Foundation. 2012-02-07. Retrieved 2013-06-08.
- "CipherShed User's Guide, Technical Details" (PDF). CipherShed User’s Guide. CipherShed Project. 2014-12-19. Retrieved 2014-12-27.
- Colin Percival. scrypt. As presented in "Stronger Key Derivation via Sequential Memory-Hard Functions". presented at BSDCan'09, May 2009.
- "New 25 GPU Monster Devours Passwords In Seconds". The Security Ledger. 2012-12-04. Retrieved 2013-09-07.
- RSA PKCS #5 – RSA Laboratories PKCS #5 v2.0 - Multiple Formats, and test vectors.
- RFC 2898 – Specification of PKCS #5 v2.0.
- RFC 6070 – Test vectors for PBKDF2 with HMAC-SHA1.
- NIST Special Publication 800-132 Recommendation for Password-Based Key Derivation