PBKDF2

Template:Short description Template:Use mdy dates

In cryptography, PBKDF1 and PBKDF2 (Password-Based Key Derivation Function 1 and 2) are key derivation functions with a sliding computational cost, used to reduce vulnerability to brute-force attacks.<ref name="RFC3962"/>

PBKDF2 is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCSTemplate:Nbsp#5 v2.0, also published as Internet Engineering Task Force's RFCTemplate:Nbsp2898. It supersedes PBKDF1, which could only produce derived keys up to 160 bits long.<ref>Template:Cite journal</ref> RFCTemplate:Nbsp8018 (PKCSTemplate:Nbsp#5 v2.1), published in 2017, recommends PBKDF2 for password hashing.<ref>Template:Cite journal</ref>

Purpose and operationEdit

PBKDF2 applies a pseudorandom function, such as hash-based message authentication code (HMAC), to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching.

When the standard was written in the year 2000 the recommended minimum number of iterations was 1,000, but the parameter is intended to be increased over time as CPU speeds increase. A Kerberos standard in 2005 recommended 4,096 iterations;<ref name="RFC3962">Template:Cite journal</ref> Apple reportedly used 2,000 for iOS 3, and 10,000 for iOS 4;<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> while LastPass in 2011 used 5,000 iterations for JavaScript clients and 100,000 iterations for server-side hashing.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> In 2023, OWASP recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The public key cryptography standard recommends a salt length of at least 64 bits.<ref name="RFC8018s4">Template:Cite journal</ref> The US National Institute of Standards and Technology recommends a salt length of at least 128 bits.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Key derivation processEdit

PBKDF2 has five input parameters:<ref name=rfc2898>Password-Based Cryptography Specification Template:IETF RFC</ref>

Template:Math

where:

• Template:Math is a pseudorandom function of two parameters with output length Template:Var (e.g., a keyed HMAC)
• Template:Var is the master password from which a derived key is generated
• Template:Var is a sequence of bits, known as a cryptographic salt
• Template:Var is the number of iterations desired
• Template:Var is the desired bit-length of the derived key
• Template:Var is the generated derived key

Each Template:Var-bit block Template:Math of derived key Template:Var, is computed as follows (with Template:Math marking string concatenation):

Template:Math

Template:Math

The function Template:Math is the xor (Template:Math) of c iterations of chained PRFs. The first iteration of PRF uses Password as the PRF key and Salt concatenated with Template:Var encoded as a big-endian 32-bit integer as the input. (Note that i is a 1-based index.) Subsequent iterations of PRF use Password as the PRF key and the output of the previous PRF computation as the input:

Template:Math

where:

Template:Math

Template:Math

Template:Math

Template:Math

For example, WPA2 uses:

Template:Math

PBKDF1 had a simpler process: the initial U (called T in this version) is created by Template:Math, and the following ones are simply Template:Math. The key is extracted as the first dkLen bits of the final hash, which is why there is a size limit.<ref name=rfc2898/>

HMAC collisionsEdit

PBKDF2 has an interesting property when using HMAC as its pseudo-random function. It is possible to trivially construct any number of different password pairs with collisions within each pair.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> If a supplied password is longer than the block size of the underlying HMAC hash function, the password is first pre-hashed into a digest, and that digest is instead used as the password. For example, the following password is too long:

• Password: Template:Not a typo

therefore, when using HMAC-SHA1, it is pre-hashed using SHA-1 into:

• SHA1 (hex): 65426b585154667542717027635463617226672a

Which can be represented in ASCII as:

• SHA1 (ASCII): eBkXQTfuBqp'cTcar&g*

This means regardless of the salt or iterations, PBKDF2-HMAC-SHA1 will generate the same key bytes for the passwords:

• "plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd"
• "eBkXQTfuBqp'cTcar&g*"

For example, using:

• PRF: HMAC-SHA1
• Salt: A009C1A485912C6AE630D3E744240B04
• Iterations: 1,000
• Derived key length: 16 bytes

The following two function calls: <syntaxhighlight lang="python"> PBKDF2-HMAC-SHA1("plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd", ...) PBKDF2-HMAC-SHA1("eBkXQTfuBqp'cTcar&g*", ...) </syntaxhighlight> will generate the same derived key bytes (17EB4014C8C461C300E9B61518B9A18B). These derived key collisions do not represent a security vulnerability – as one still must know the original password in order to generate the hash of the password.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

Alternatives to PBKDF2Edit

One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using application-specific integrated circuits or graphics processing units relatively cheap.<ref name="percival2009">Colin Percival. scrypt. As presented in "Stronger Key Derivation via Sequential Memory-Hard Functions". presented at BSDCan'09, May 2009.</ref> The bcrypt password hashing function requires a larger amount of RAM (but still not tunable separately, i.e. fixed for a given amount of CPU time) and is significantly stronger against such attacks,<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref> while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.<ref name="percival2009" />

In 2013, the Password Hashing Competition (PHC) was held to develop a more resistant approach. On 20 July 2015 Argon2 was selected as the final PHC winner, with special recognition given to four other password hashing schemes: Catena, Lyra2, yescrypt and Makwa.<ref>"Password Hashing Competition"</ref> Another alternative is Balloon hashing, which is recommended in NIST password guidelines.<ref>{{#invoke:citation/CS1|citation |CitationClass=web }}</ref>

To limit a brute-force attack, it is possible to make each password attempt require an online interaction, without harming the confidentiality of the password. This can be done using an oblivious pseudorandom function to perform password hardening.<ref>Template:Cite book</ref> This can be done as alternative to, or as an additional step in, a PBKDF.

See alsoEdit

• List of PBKDF2 implementations

ReferencesEdit

Template:Reflist

External linksEdit

• {{#invoke:citation/CS1|citation

|CitationClass=web }}

• Template:IETF RFC – Specification of PKCSTemplate:Nbsp#5 v2.0.
• Template:IETF RFC – Test vectors for PBKDF2 with HMAC-SHA1.
• NIST Special Publication 800-132 Recommendation for Password-Based Key Derivation

Template:Cryptography navbox