Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pbkdf-2]

The Password-Based Key Derivation Function 2 (PBKDF2) is a method of securely deriving encryption keys from a passphrase entered by a user. It features an iteration count that can be deliberately adjusted (key stretching) to slow down brute force password guessing attacks.

The Password-Based Key Derivation Function 2 (PBKDF2) is a method of securely deriving encryption keys from a passphrase entered by a user.

PBKDF2 was published by RSA Laboratories as part of the PKCS #5 v2.0 standard (also published by the IETF as RFC 2898), replacing an earlier, less flexible method (still supported but deprecated) now known as PBKDF1.

The PBKDF2 construction is based on a pseudorandom function (PRF), and it can be proven secure assuming the security of the underlying PRF. A common choice for the PRF is HMAC, which in turn is a construction based on a cryptographic hash function, and can be proven secure given some fairly weak security assumptions on the hash. Thus, a typical instance of PBKDF2 might be e.g. PBKDF2-HMAC-SHA256, meaning PBKDF2 instantiated with HMAC, which in turn is instantiated with the SHA-256 hash function.

The PBKDF2 construction notably features an adjustable iteration count, which can be used to control the speed of the key derivation process. For typical uses, PKCS #5 recommends an iteration count of at least 1000 (although this should be increased as computers become faster), making PBKDF2 at least a thousand times slower than simply hashing the passphrase with the underlying PRF. Such deliberate slowing down is known as key stretching, and can be useful in hindering brute force password guessing searches. PBKDF2 also allows and recommends the use of a random salt, intended to thwart attacks using precompiled password tables and to ensure that the derived keys are unique and effectively independent even if the same passphrase is used to derive keys for multiple purposes.

PBKDF2 can be used to derive keys for all kinds of cryptographic purposes, not just for symmetric encryption. In particular, it has become a popular recommendation for password hashing for websites and on-line applications, as it provides the important features of salting and key stretching in a standardized and well studied package.

See also:

  • – key derivation functions in general
  • – an alternative password hashing method that implements key stretching
  • – a more recent alternative to PBKDF2, which also allows the memory consumption of the algorithm to be adjusted to thwart parallel password cracking using GPUs or dedicated hardware
255 questions
3
votes
1 answer

Why does PBKDF2 use HMAC?

When I learn PBKDF2, I found out most of the articles say that the PBKDF2 use HMAC as PRF. Why is HMAC? Can I use other pseudorandom functions? Is HMAC safer than any other functions for PBKDF2?
user83796
  • 31
  • 1
3
votes
2 answers

Multithreading PBKDF2 or javascript alternative

I'm using PBKDF2 in browser (can't use bcrypt, users are likely to have passwords > 72bytes, or whatever the number was). PBKDF2 is running in a webworker, something like so const key = PBKDF2_HMAC_SHA512.bytes(passphrase, salt, Math.pow(2,17),…
Irontiga
  • 43
  • 5
3
votes
2 answers

PBKDF2 uses HMAC-SHA1 to generate keys, but what is the key for the HMAC?

I was reading up on PBKDF2 and noted the following: DK = PBKDF2(PRF, Password, Salt, c, dkLen) PRF is a keyed HMAC, but I can't seem to find out what they use as key for the HMAC?
Lucas Kauffman
  • 504
  • 3
  • 15
2
votes
1 answer

How to reverse engineer Salt from password, iterations, and key?

Let's say that a random key is derived using the following function (PBKDF2). key = fn(password, salt, iterations) Q1: How can I reverse engineer the salt from the password, iterations, and the key? Q2: If the same salt is used for generating the…
Sayan Pal
  • 123
  • 5
2
votes
1 answer

What is the "purpose" byte in Crypto++ PBKDF2?

Does anyone know the purpose of the "purpose" byte in the PBKDF2 implementation in Crypto++? It appears that the PBKDF2 does not use this byte, but I want to make sure I am not setting the option to some stupid default. Here is the method…
Askable
  • 23
  • 2
2
votes
1 answer

Right usage of PBKDF2 and login system questions

I'm developing the login part of my application and I was asking myself how to do it right. My application stores some users' data server-side that must be inaccessible from us, so all the content must be encrypted using AES-256 with a password…
user12399
  • 21
  • 3
2
votes
1 answer

Lastpass PBKDF2 and salt

In light of the LastPass hack their use of PBKDF2 had me wondering a few things. If PBKDF2 with a salt and the Master password is used to generate a vault password every time you type in your master password to access the vault wouldn't that salt…
Gunna
  • 21
  • 1
1
vote
2 answers

Is it reasonable to use DRBG and PBKDF together?

I want to generate a random number using DRBG with below follow: Entropy source -> DRBG -> PBKDF adding PBKDF is redundant ?
Andy
  • 71
  • 4
1
vote
1 answer

One way hash of data records (PBKDF2?)

I'm looking for a way of one way hash data for multiple records. We have a privacy requirement to anonymise information "after it's used for its intended purpose" which is a little wooly at best. I'd therefore like to delete everything once a…
Sam
  • 111
  • 2
1
vote
1 answer

Using similar passwords and salts for PBKDF2

I'm trying to generate a bunch of pseudo-random keys for AES using PBKDF2, where the AES ciphers will be used in CTR mode as pseudo-random number generators. My goal is to create a 2-dimensional array, where each entry is a pseudo-random sequence…
brianmearns
  • 355
  • 2
  • 10
1
vote
2 answers

Does google's Crypto.JS AES encryption use PBKDF2 as default?

Does google's Crypto.JS AES encryption use PBKDF2 as default? Some references, but I can't figure out the answer…
pinhead
  • 245
  • 1
  • 7
0
votes
1 answer

is PBKDF2 reversible?

Given an AES key that is wrapped using another AES key, the second one being generated using PBKDF2, and given that I know the wrapped key: can I derive the passphrase that went into the PBKDF2? (asking for a friend)
rmalchow
  • 119
  • 1
0
votes
2 answers

Is a randomly generated long password more secure than a higher number of rounds in a PBKDF?

Usually the requirements for passwords are that they should be salted and use a high number of rounds. My understanding is: Salting a password is only used to prevent rainbow attacks Using a high number of rounds is only used to prevent…
Kernel James
  • 103
  • 2