词条 | PBKDF2 |
释义 |
In cryptography, PBKDF1 and PBKDF2 (Password-Based Key Derivation Function 2) are key derivation functions with a sliding computational cost, aimed to reduce the vulnerability of encrypted keys to brute force attacks. PBKDF2 is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It supersedes PBKDF1, which could only produce derived keys up to 160 bits long.[1] RFC 8018, published in 2017, recommends PBKDF2 for password hashing.[2] Purpose and operationPBKDF2 applies a pseudorandom function, such as hash-based message authentication code (HMAC), to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in the year 2000 the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. A Kerberos standard in 2005 recommended 4096 iterations;[3] Apple reportedly used 2000 for iOS 3, and {{val|10000}} for iOS 4;[4] while LastPass in 2011 used 5000 iterations for JavaScript clients and {{val|100000}} iterations for server-side hashing.[5] Having a salt added to the password reduces the ability to use precomputed hashes (rainbow tables) for attacks, and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.[6] The US National Institute of Standards and Technology recommends a salt length of 128 bits.[7] Key derivation processThe PBKDF2 key derivation function has five input parameters:{{fact|date=December 2018}} where:
Each hLen-bit block Ti of derived key DK, is computed as follows (with DK = T1 || T2 || ... || Tdklen/hlen Ti = F(Password, Salt, c, i) The function F is the xor (^) of c iterations of chained PRFs. The first iteration of PRF uses Password as the PRF key and Salt concatenated with i encoded as a big-endian 32-bit integer. (Note that i is a 1-based index.) Subsequent iterations of PRF use Password as the PRF key and the output of the previous PRF computation as the salt: where: U1 = PRF(Password, Salt || INT_32_BE(i)) U2 = PRF(Password, U1) ... Uc = PRF(Password, Uc-1) For example, WPA2 uses: HMAC collisionsPBKDF2 has an interesting property when using HMAC as its pseudo-random function. It is possible to trivially construct any number of different password pairs with collisions within each pair.[8] If a supplied password is longer than the block size of the underlying HMAC hash function, the password is first pre-hashed into a digest, and that digest is instead used as the password. For example, the following password is too long:
therefore (when for example using HMAC-SHA1) it is pre-hashed using SHA-1 into:
Which can be represented in ASCII as:
This means regardless of the salt or iterations, PBKDF2-HMAC-SHA1 will generate the same key bytes for the passwords:
For example, using:
the following two function calls: PBKDF2-HMAC-SHA1("plnlrtfpijpuhqylxbgqiiyipieyxvfsavzgxbbcfusqkozwpngsyejqlmjsytrmd", ...) PBKDF2-HMAC-SHA1("eBkXQTfuBqp'cTcar&g*", ...) will generate the same derived key bytes ( Alternatives to PBKDF2One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using application-specific integrated circuits or graphics processing units relatively cheap.[10] The bcrypt password hashing function requires a larger amount of RAM (but still not tunable separately, i. e. fixed for a given amount of CPU time) and is slightly stronger against such attacks,[11] while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.[10] In 2013, a Password Hashing Competition (PHC) was held to develop a more resistant approach. On 20 July 2015 Argon2 was selected as the final PHC winner, with special recognition given to four other password hashing schemes: Catena, Lyra2, yescrypt and Makwa.[12] See also
References1. ^{{Cite web|title = PKCS #5: Password-Based Cryptography Specification Version 2.0|url = http://tools.ietf.org/html/rfc2898#section-5.2|website = tools.ietf.org|accessdate = 2015-10-23|first = Burt Kaliski|last = 2. ^{{Cite web|title = PKCS #5: Password-Based Cryptography Specification Version 2.1|url = https://tools.ietf.org/html/rfc8018|website = tools.ietf.org}} 3. ^{{Cite web|title = Advanced Encryption Standard (AES) Encryption for Kerberos 5|url = http://tools.ietf.org/html/rfc3962|website = tools.ietf.org|accessdate = 2015-10-23|author = Kenneth Raeburn }} 4. ^{{Cite web|title = Smartphone Forensics: Cracking BlackBerry Backup Passwords |work=Advanced Password Cracking – Insight (ElcomSoft) |url = http://blog.elcomsoft.com/2010/09/smartphone-forensics-cracking-blackberry-backup-passwords/ |accessdate = 2015-10-23}} 5. ^{{Cite web|title = LastPass Security Notification|url = https://blog.lastpass.com/2011/05/lastpass-security-notification.html/|website = The LastPass Blog|accessdate = 2015-10-23}} 6. ^{{Cite web|title = RFC 8018 - PKCS #5: Password-Based Cryptography Specification, Version 2.1|url = https://tools.ietf.org/html/rfc8018#section-4|website = tools.ietf.org|accessdate = 2018-01-24|author = K. Moriarty|display-authors=etal}} 7. ^{{Cite web|title = NIST SP 800-132, Recommendation for Password-Based Key Derivation Part 1: Storage Applications|url = https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf|website = www.nist.gov|accessdate = 2018-12-20|author = Meltem Sönmez Turan, Elaine Barker, William Burr, and Lily Chen}} 8. ^https://mathiasbynens.be/notes/pbkdf2-hmac 9. ^https://crypto.stackexchange.com/questions/26510/why-is-hmac-sha1-still-considered-secure 10. ^1 Colin Percival.scrypt.As presented in"Stronger Key Derivation via Sequential Memory-Hard Functions".presented at BSDCan'09, May 2009. 11. ^{{cite web|url=http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds |title=New 25 GPU Monster Devours Passwords In Seconds |publisher=The Security Ledger |date=2012-12-04 |accessdate=2013-09-07}} 12. ^[https://password-hashing.net "Password Hashing Competition"] External links
3 : Password authentication|Cryptography standards|Key derivation functions |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。