PBKDF2 on:
[Wikipedia]
[Google]
[Amazon]
In
Having a salt added to the password reduces the ability to use precomputed hashes (
PBKDF2-HMAC-SHA1("plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd", ...)
PBKDF2-HMAC-SHA1("eBkXQTfuBqp'cTcar&g*", ...)
will generate the same derived key bytes (
scrypt
As presented i
"Stronger Key Derivation via Sequential Memory-Hard Functions"
presented at BSDCan'09, May 2009. The
NIST Special Publication 800-132 Recommendation for Password-Based Key Derivation
{{Cryptography navbox , hash Password authentication Cryptography standards Key derivation functions
cryptography
Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
, PBKDF1 and PBKDF2 (Password-Based Key Derivation Function 1 and 2) are key derivation function
In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cr ...
s with a sliding computational cost, used to reduce vulnerability to brute-force attack
In cryptography, a brute-force attack or exhaustive key search is a cryptanalytic attack that consists of an attacker submitting many possible keys or passwords with the hope of eventually guessing correctly. This strategy can theoretically be ...
s.
PBKDF2 is part of RSA Laboratories' Public-Key Cryptography Standards
Public Key Cryptography Standards (PKCS) are a group of public-key cryptography standards devised and published by RSA Security LLC, starting in the early 1990s. The company published the standards to promote the use of the cryptography tec ...
(PKCS) series, specifically PKCS#5 v2.0, also published as Internet Engineering Task Force
The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...
's RFC2898. It supersedes PBKDF1, which could only produce derived keys up to 160 bits long. RFC8018 (PKCS#5 v2.1), published in 2017, recommends PBKDF2 for password hashing.
Purpose and operation
PBKDF2 applies a pseudorandom function, such as hash-based message authentication code (HMAC), to the inputpassword
A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...
or passphrase
A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...
along with a salt
In common usage, salt is a mineral composed primarily of sodium chloride (NaCl). When used in food, especially in granulated form, it is more formally called table salt. In the form of a natural crystalline mineral, salt is also known as r ...
value and repeats the process many times to produce a ''derived key'', which can then be used as a cryptographic key
A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm
In mathematics and computer science, an algorithm () is a finite sequenc ...
in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching
In cryptography, key stretching techniques are used to make a possibly weak key, typically a password or passphrase, more secure against a brute-force attack by increasing the resources (time and possibly space) it takes to test each possible ke ...
.
When the standard was written in the year 2000 the recommended minimum number of iterations was 1,000, but the parameter is intended to be increased over time as CPU speeds increase. A Kerberos standard in 2005 recommended 4,096 iterations; Apple
An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...
reportedly used 2,000 for iOS 3, and 10,000 for iOS 4; while LastPass in 2011 used 5,000 iterations for JavaScript
JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior.
Web browsers have ...
clients and 100,000 iterations for server-side hashing. In 2023, OWASP
The Open Worldwide Application Security Project (formerly Open Web Application Security Project) (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of Io ...
recommended to use 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.
Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables
A rainbow table is a precomputed Lookup table, table for caching the outputs of a cryptographic hash function, usually for Password cracking, cracking password hashes. Passwords are typically stored not in plain text form, but as hash values. If ...
) for attacks, and means that multiple passwords have to be tested individually, not all at once. The public key cryptography standard recommends a salt length of at least 64 bits. The US National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...
recommends a salt length of at least 128 bits.
Key derivation process
PBKDF2 has five input parameters:Password-Based Cryptography Specification : where: * is a pseudorandom function of two parameters with output length (e.g., a keyed HMAC) * is the master password from which a derived key is generated * is a sequence of bits, known as acryptographic salt
In cryptography, a salt is random data fed as an additional input to a one-way function that hashes data, a password or passphrase. Salting helps defend against attacks that use precomputed tables (e.g. rainbow tables), by vastly growing the siz ...
* is the number of iterations desired
* is the desired bit-length of the derived key
* is the generated derived key
Each -bit block of derived key , is computed as follows (with marking string concatenation):
:
:
The function is the xor () of ''c'' iterations of chained PRFs. The first iteration of PRF uses ''Password'' as the PRF key and ''Salt'' concatenated with encoded as a big-endian 32-bit integer as the input. (Note that ''i'' is a 1-based index.) Subsequent iterations of PRF use ''Password'' as the PRF key and the output of the previous PRF computation as the input:
:
where:
:
:
:
:
For example, WPA2 uses:
:
PBKDF1 had a simpler process: the initial ''U'' (called ''T'' in this version) is created by , and the following ones are simply . The key is extracted as the first ''dkLen'' bits of the final hash, which is why there is a size limit.
HMAC collisions
PBKDF2 has an interesting property when using HMAC as its pseudo-random function. It is possible to trivially construct any number of different password pairs with collisions within each pair. If a supplied password is longer than the block size of the underlying HMAC hash function, the password is first pre-hashed into a digest, and that digest is instead used as the password. For example, the following password is too long: * Password:65426b585154667542717027635463617226672a
Which can be represented in ASCII as:
* SHA1 (ASCII): eBkXQTfuBqp'cTcar&g*
This means regardless of the salt or iterations, PBKDF2-HMAC-SHA1 will generate the same key bytes for the passwords:
* "plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd"
* "eBkXQTfuBqp'cTcar&g*"
For example, using:
* PRF: HMAC-SHA1
* Salt: A009C1A485912C6AE630D3E744240B04
* Iterations: 1,000
* Derived key length: 16 bytes
The following two function calls:
17EB4014C8C461C300E9B61518B9A18B). These derived key collisions do not represent a security vulnerability – as one still must know the original password in order to generate the ''hash'' of the password.
Alternatives to PBKDF2
One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks usingapplication-specific integrated circuit
An application-specific integrated circuit (ASIC ) is an integrated circuit (IC) chip customized for a particular use, rather than intended for general-purpose use, such as a chip designed to run in a digital voice recorder or a high-efficienc ...
s or graphics processing unit
A graphics processing unit (GPU) is a specialized electronic circuit designed for digital image processing and to accelerate computer graphics, being present either as a discrete video card or embedded on motherboards, mobile phones, personal ...
s relatively cheap.Colin Percival
Colin A. Percival (born 1980) is a Canadian computer scientist and computer security researcher. He completed his undergraduate education at Simon Fraser University and a doctorate at the University of Oxford. While at university he joined the F ...
scrypt
As presented i
"Stronger Key Derivation via Sequential Memory-Hard Functions"
presented at BSDCan'09, May 2009. The
bcrypt
bcrypt is a password-hashing function designed by Niels Provos and David Mazières. It is based on the Blowfish (cipher), Blowfish cipher and presented at USENIX in 1999. Besides incorporating a salt (cryptography), salt to protect against rain ...
password hashing function requires a larger amount of RAM (but still not tunable separately, i.e. fixed for a given amount of CPU time) and is significantly stronger against such attacks, while the more modern scrypt
In cryptography, scrypt (pronounced "ess crypt") is a password-based key derivation function created by Colin Percival in March 2009, originally for the Tarsnap online backup service. The algorithm was specifically designed to make it costly t ...
key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.
In 2013, the Password Hashing Competition (PHC) was held to develop a more resistant approach. On 20 July 2015 Argon2 was selected as the final PHC winner, with special recognition given to four other password hashing schemes: Catena, Lyra2, yescrypt and Makwa. Another alternative is Balloon hashing, which is recommended in NIST password guidelines.
To limit a brute-force attack
In cryptography, a brute-force attack or exhaustive key search is a cryptanalytic attack that consists of an attacker submitting many possible keys or passwords with the hope of eventually guessing correctly. This strategy can theoretically be ...
, it is possible to make each password attempt require an online interaction, without harming the confidentiality of the password. This can be done using an oblivious pseudorandom function to perform password hardening. This can be done as alternative to, or as an additional step in, a PBKDF.
See also
* List of PBKDF2 implementationsReferences
External links
* * – Specification of PKCS#5 v2.0. * – Test vectors for PBKDF2 with HMAC-SHA1.NIST Special Publication 800-132 Recommendation for Password-Based Key Derivation
{{Cryptography navbox , hash Password authentication Cryptography standards Key derivation functions