“Key derivation function”的意思、由来-开放百科全书

In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.^[1]^[2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.^[3]

Uses of KDFs

Key stretching and key strengthening

Key derivation functions are also used in applications to derive keys from secret passwords or passphrases, which typically do not have the desired properties to be used directly as cryptographic keys. In such applications, it is generally recommended that the key derivation function be made deliberately slow so as to frustrate brute-force attack or dictionary attack on the password or passphrase input value.

Such use may be expressed as {{math|1=DK = KDF(key, salt, iterations)}}, where {{math|1=DK}} is the derived key, {{math|1=KDF}} is the key derivation function, {{math|1=key}} is the original key or password, {{math|1=salt}} is a random number which acts as cryptographic salt, and {{math|1=iterations}} refers to the number of iterations of a sub-function. The derived key is used instead of the original key or password as the key to the system. The values of the salt and the number of iterations (if it is not fixed) are stored with the hashed password or sent as plaintext with an encrypted message.^[5]

The difficulty of a brute force attack increases with the number of iterations. A practical limit on the iteration count is the unwillingness of users to tolerate a perceptible delay in logging into a computer or seeing a decrypted message. The use of salt prevents the attackers from precomputing a dictionary of derived keys.^[5]

An alternative approach, called key strengthening, extends the key with a random salt, but then (unlike in key stretching) securely deletes the salt.^[6] This forces both the attacker and legitimate users to perform a brute-force search for the salt value.^[7] Although the paper that introduced key stretching^[8] referred to this earlier technique and intentionally chose a different name, the term "key strengthening" is now often (arguably incorrectly) used to refer to key stretching.

History

The first{{citation needed|date=June 2015}} deliberately slow (key stretching) password-based key derivation function was called "crypt" (or "crypt(3)" after its man page), and was invented by Robert Morris in 1978. It would encrypt a constant (zero), using the first 8 characters of the user's password as the key, by performing 25 iterations of a modified DES encryption algorithm (in which a 12-bit number read from the real-time computer clock is used to perturb the calculations). The resulting 64-bit number is encoded as 11 printable characters and then stored in the Unix password file.^[9] While it was a great advance at the time, increases in processor speeds since the PDP-11 era have made brute-force attacks against crypt feasible, and advances in storage have rendered the 12-bit salt inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong passphrases impossible.{{citation needed|date=July 2013}}

Modern password-based key derivation functions, such as PBKDF2 (specified in RFC 2898), use a cryptographic hash, such as SHA-2, more salt (e.g. 64 bits and greater) and a high iteration count (often tens or hundreds of thousands).

In June 2017, NIST issued a new revision of their digital authentication guidelines, NIST SP 800-63B-3,^[12]{{rp|5.1.1.1}} stating that: "Verifiers SHALL store memorized secrets [i.e. passwords] in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive." and that "The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes."

References

1. ^{{cite book|author=Bezzi, Michele|chapter=Data privacy|editors=Camenisch, Jan|title=Privacy and Identity Management for Life|publisher=Springer|year=2011|isbn=9783642203176|pages=185–186|url=https://books.google.com/books?id=vYxzh3C6OPUC&pg=PA185|display-authors=etal|display-editors=etal}}
2. ^{{cite web|author=Kaliski, Burt|author2=RSA Laboratories |title=RFC 2898 – PKCS #5: Password-Based Cryptography Specification, Version 2.0|work=IETF|url=https://www.ietf.org/rfc/rfc2898.txt}}
3. ^{{cite book|author=Zdziarski, Jonathan|title=Hacking and Securing IOS Applications: Stealing Data, Hijacking Software, and How to Prevent It|publisher=O'Reilly Media|year=2012|isbn=9781449318741|pages=252–253|url=https://books.google.com/books?id=2D50GNA1ULsC&pg=PA252}}
4. ^[https://password-hashing.net/ "Password Hashing Competition"]
5. ^¹{{cite web|title=Salted Password Hashing – Doing it Right|url=https://crackstation.net/hashing-security.htm|website=CrackStation.net|accessdate=29 January 2015}}
6. ^Abadi, Martın, T. Mark A. Lomas, and Roger Needham. "Strengthening passwords." Digital System Research Center, Tech. Rep 33 (1997): 1997.
7. ^U. Manber, "A Simple Scheme to Make Passwords Based on One-Way Functions Much Harder to Crack," Computers & Security, v.15, n.2, 1996, pp.171–176.
8. ^Secure Applications of Low-Entropy Keys, J. Kelsey, B. Schneier, C. Hall, and D. Wagner (1997)
9. ^{{cite web | url=http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | archive-url=https://web.archive.org/web/20030322053727/http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | dead-url=yes | archive-date=2003-03-22 | title=Password Security: A Case History. | work=Bell Laboratories | author1=Morris, Robert | author2=Thompson, Ken | date=1978-04-03 | accessdate=2011-05-09 }}
10. ^NIST SP 800-132 Section 5.1
11. ^{{cite web|url=https://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/|title=Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked|work=Ars Technica|last=Goodin|first=Dan|date=10 September 2015|accessdate=10 September 2015}}
12. ^{{cite journal | url = https://doi.org/10.6028/NIST.SP.800-63b | title = SP 800-63B-3 – Digital Identity Guidelines, Authentication and Lifecycle Management | format = PDF | publisher = NIST | date = June 2017 | accessdate = August 6, 2017 | doi=10.6028/NIST.SP.800-63b | author=Grassi Paul A}}

Uses of KDFs

Key stretching and key strengthening

History

References

Further reading