Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pbkdf-2]

The Password-Based Key Derivation Function 2 (PBKDF2) is a method of securely deriving encryption keys from a passphrase entered by a user. It features an iteration count that can be deliberately adjusted (key stretching) to slow down brute force password guessing attacks.

The Password-Based Key Derivation Function 2 (PBKDF2) is a method of securely deriving encryption keys from a passphrase entered by a user.

PBKDF2 was published by RSA Laboratories as part of the PKCS #5 v2.0 standard (also published by the IETF as RFC 2898), replacing an earlier, less flexible method (still supported but deprecated) now known as PBKDF1.

The PBKDF2 construction is based on a pseudorandom function (PRF), and it can be proven secure assuming the security of the underlying PRF. A common choice for the PRF is HMAC, which in turn is a construction based on a cryptographic hash function, and can be proven secure given some fairly weak security assumptions on the hash. Thus, a typical instance of PBKDF2 might be e.g. PBKDF2-HMAC-SHA256, meaning PBKDF2 instantiated with HMAC, which in turn is instantiated with the SHA-256 hash function.

The PBKDF2 construction notably features an adjustable iteration count, which can be used to control the speed of the key derivation process. For typical uses, PKCS #5 recommends an iteration count of at least 1000 (although this should be increased as computers become faster), making PBKDF2 at least a thousand times slower than simply hashing the passphrase with the underlying PRF. Such deliberate slowing down is known as key stretching, and can be useful in hindering brute force password guessing searches. PBKDF2 also allows and recommends the use of a random salt, intended to thwart attacks using precompiled password tables and to ensure that the derived keys are unique and effectively independent even if the same passphrase is used to derive keys for multiple purposes.

PBKDF2 can be used to derive keys for all kinds of cryptographic purposes, not just for symmetric encryption. In particular, it has become a popular recommendation for password hashing for websites and on-line applications, as it provides the important features of salting and key stretching in a standardized and well studied package.

See also:

  • – key derivation functions in general
  • – an alternative password hashing method that implements key stretching
  • – a more recent alternative to PBKDF2, which also allows the memory consumption of the algorithm to be adjusted to thwart parallel password cracking using GPUs or dedicated hardware
261 questions
38
votes
4 answers

How can one securely generate an asymmetric key pair from a short passphrase?

Background info: I am planning on making a filehost with which one can encrypt and upload files. To protect the data against any form of hacking, I'd like not to know the encryption key ($K$) used for a file, so the user will have to asymmetrically…
Flumble
  • 485
  • 1
  • 4
  • 6
25
votes
2 answers

What is the difference between Scrypt and PBKDF2?

After reading these two resources I am wondering am I getting all the differences between Scrypt and PBKDF2. As far as I understood, the similarity is: both are password-based key derivation functions. The difference is: Scrypt is more resource…
Salvador Dali
  • 365
  • 1
  • 3
  • 7
25
votes
2 answers

What's the difference between PBKDF and SHA and why use them together?

I've been reading a little bit about hashing lately and according to AgileBits, they use "SHA512 within PBKDF2" in their new vault file. I've looked in Wikipedia for both names and I know PBKDF2 is a key derivation function and SHA is a…
Danowsky
  • 353
  • 1
  • 3
  • 4
24
votes
6 answers

PBKDF2 and salt

I want to ask some questions about the PBKDF2 function and generally about the password-based derivation functions. Actually we use the derivation function together with the salt to provide resistance against the dictionary attacks, right? One…
thrylos_7
  • 341
  • 1
  • 2
  • 3
17
votes
2 answers

Password hash that can be upgraded without plaintext password

Most password hashes have a cost parameter that indicates how long the algorithm should take. Is there an algorithm where you can increase that cost for a particular hash, without access to the plaintext password? So I have existing hashes in the…
Sjoerd
  • 726
  • 6
  • 17
16
votes
2 answers

Why is the salt used only once in PBKDF2, while the password is used often?

The purpose of PBKDF2 is to create a derived key (DK) from a master password (PW) and a salt, often using a function like HMAC-SHA256. I have read that the salt should be as random as possible. But if that's the case, why does it play such a minor…
ericball
  • 413
  • 4
  • 10
14
votes
2 answers

How to derive two keys from one password

What is the best way to generate two independent symmetric keys from one user-entered password or passphrase? Would using both scrypt and pbkdf2 achieve this?
user1028028
  • 719
  • 5
  • 18
14
votes
3 answers

PBKDF2 for key diversification

I am looking for a secure key diversification function to create individual AES keys for a local smart card deployment. The keys need to be derived from a secret master key and the smart card serial number. Key calculation can happen on the host…
ge0rg
  • 243
  • 2
  • 7
14
votes
2 answers

Is PBKDF2-HMAC-SHA1 really broken?

I just read through this article which demonstrates practical (and seemingly trivial) collisions in PBKDF2-HMAC-SHA1, and provides a few examples of collisions. Am I missing something here? Is PBKDF2-HMAC-SHA1 really broken this badly and trivially?…
Polynomial
  • 3,577
  • 4
  • 30
  • 45
12
votes
3 answers

Is deriving the IV from the password secure?

I came across an encryption scheme to encrypt files with AES-256. You can see the initialization of the decryption routine below: salt = scrambled_file.read(16) key_and_iv = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, 50000, 48,…
Jonas
  • 223
  • 2
  • 5
11
votes
2 answers

Meaning of the term "Key Material"

I am reading specifications from my client that focuses on the topic of security. In these specs, the term key material has appeared many times. I used Google to look for what the term means. Unfortunately few posts explain what it means. What is…
mac.ma
  • 211
  • 2
  • 4
11
votes
1 answer

How to salt PBKDF2, when generating both an AES key and a HMAC key for Encrypt then MAC?

When using Encrypt-then-MAC with AES and HMAC by password, and given 128 bits of payload with the ciphertext to store a random salt, which would be more secure: Using PBKDF2 with then entire 128 bit random salt and generating 512 bits of derived…
jbtule
  • 278
  • 6
  • 14
11
votes
2 answers

Should I salt an AES password at each encryption?

I saw a sample code where the same password is salted with a different value (using PBKDF2) for each encryption. That means that the salt must be stored for each encrypted message. I don't understand why they do that since AES is used here in CBC…
Benoit
  • 113
  • 1
  • 1
  • 6
11
votes
1 answer

Does a big salt have the same memory effects as Bcrypt?

Citing Thomas Pornin on the question Why can't one implement bcrypt in Cuda?: bcrypt is a variant of the Blowfish key scheduling, which is defined over a table (a few kilobytes) which is constantly accessed and modified throughout the algorithm.…
Luc
  • 1,558
  • 3
  • 19
  • 34
11
votes
3 answers

PBKDF2WithHmacSHA512 Vs. PBKDF2WithHmacSHA1?

I'm working on a Java authentication subsystem that specs the storage of passwords in the DB as PBKDF2-generated hashes, and I'm now trying to decide whether I should use SHA1 or SHA512 as PFR. I'm under the impression that the consensus is that…
Jim
  • 111
  • 1
  • 1
  • 3
1
2 3
17 18