PBKDF2 can be used to derive a key from a passphrase, having in input the passphrase, the chosen number of iterations to slow down a brute force attack, a random salt and the chosen keylength. In its implementation it needs a PRNG which can be, for example, HMAC-SHA-something; but HMAC needs itself a key together with a "message" (which I think is the passphrase in the first iteration, and then its resulting hash in the subsequent ones): so what is this key?
Asked
Active
Viewed 259 times
1
-
I've answered, but note that it should be easy to extract this kind of information from the standard. If unsure, check the standard. – Maarten Bodewes Jan 18 '17 at 12:29
-
Or existing, identical questions(s): http://crypto.stackexchange.com/questions/10164/pbkdf2-uses-hmac-sha1-to-generate-keys-but-what-is-the-key-for-the-hmac?rq=1 – dave_thompson_085 Jan 18 '17 at 15:56
2 Answers
2
The key is the password.
For the first iteration, the salt concatenated with the desired output length in bytes is the input.
U1 = PRF(Password, Salt || INT_32_BE(i))
For subsequent iterations, the HMAC result is the salt.
U2 = PRF(Password, U1)
...
Uc = PRF(Password, Uc-1)
Richie Frame
- 13,097
- 1
- 25
- 42
2
The password, encoded as octet string (usually using ASCII or UTF-8 as encoding), is used as key. The salt is used as data to HMAC.
The scheme specifies the following internal calculation:
U_1 = PRF (P, S || INT (i)) ,
U_2 = PRF (P, U_1) ,
...
U_c = PRF (P, U_{c-1}) .
where $P$ is the encoded password, $c$ is the iteration count, $S$ the salt and $\operatorname{INT}(i)$ an indicator of the output block (if more than a single block of output is required from the PRF). The PRF is not found in any other part of the scheme (PBKDF2 is not a complex protocol, you could argue too simple).
The PRF can be any pseudo random function, but it is usually set to HMAC-SHA-1 used as default:
The default pseudorandom function is HMAC-SHA-1:
in other words, PRF(P, X) can be read as HMAC-SHA-1(P, X).
Maarten Bodewes
- 92,551
- 13
- 161
- 313