Jump to content

Key derivation function

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 193.61.240.146 (talk) at 16:04, 1 December 2022 (named changes). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cryptographic hash function or block cipher).[1][2][3] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[4]


Although high throughput is a desirable property in general-purpose hash functions, the opposite is true in password security applications in which defending against brute-force cracking is a primary concern. The growing use of massively-parallel hardware such as GPUs, FPGAs, and even ASICs for brute-force cracking has made the selection of a suitable algorithms even more critical because the good algorithm should not only enforce a certain amount of computational cost not only on CPUs, but also resist the cost/performance advantages of modern massively-parallel platforms for such tasks. Various algorithms have been designed specifically for this purpose, including bcrypt, scrypt and, more recently, Lyra2 and Argon2 (the latter being the winner of the Password Hashing Competition). The large-scale Ashley Madison data breach in which roughly 36 million passwords hashes were stolen by attackers illustrated the importance of algorithm selection in securing passwords. Although bcrypt was employed to protect the hashes (making large scale brute-force cracking expensive and time-consuming), a significant portion of the accounts in the compromised data also contained a password hash based on the fast general-purpose MD5 algorithm, which made it possible for over 11 million of the passwords to be cracked in a matter of weeks.[5]

In June 2017, The U.S. National Institute of Standards and Technology (NIST) issued a new revision of their digital authentication guidelines, NIST SP 800-63B-3,[6]: 5.1.1.2  stating that: "Verifiers SHALL store memorized secrets [i.e. passwords] in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive."

Modern password-based key derivation functions, such as PBKDF2 (specified in RFC 2898), are based on a recognized cryptographic hash, such as SHA-2, use more salt (at least 64 bits and chosen randomly) and a high iteration count. NIST recommends a minimum iteration count of 10,000.[6]: 5.1.1.2  "For especially critical keys, or for very powerful systems or systems where user-perceived performance is not critical, an iteration count of 10,000,000 may be appropriate.” [7]: 5.2 

DYLAN BALL This page is all about dylan ball, dont use wikipedia its not correct

Password hashing

Despite their original use for key derivation, KDFs are possibly better known for their use in password hashing (password verification by hash comparison), as used by the passwd file or shadow password file. Password hash functions should be relatively expensive to calculate in case of brute-force attacks, and the key stretching of KDFs happen to provide this characteristic.[citation needed] The non-secret parameters are called "salt" in this context.

References

  1. ^ Bezzi, Michele; et al. (2011). "Data privacy". In Camenisch, Jan; et al. (eds.). Privacy and Identity Management for Life. Springer. pp. 185–186. ISBN 9783642203176.
  2. ^ Kaliski, Burt; RSA Laboratories. "RFC 2898 – PKCS #5: Password-Based Cryptography Specification, Version 2.0". IETF.
  3. ^ Chen, Lily (October 2009). "NIST SP 800-108: Recommendation for Key Derivation Using Pseudorandom Functions". NIST.
  4. ^ Zdziarski, Jonathan (2012). Hacking and Securing IOS Applications: Stealing Data, Hijacking Software, and How to Prevent It. O'Reilly Media. pp. 252–253. ISBN 9781449318741.
  5. ^ Goodin, Dan (10 September 2015). "Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked". Ars Technica. Retrieved 10 September 2015.
  6. ^ a b Grassi Paul A. (June 2017). SP 800-63B-3 – Digital Identity Guidelines, Authentication and Lifecycle Management. NIST. doi:10.6028/NIST.SP.800-63b.
  7. ^ Meltem Sönmez Turan, Elaine Barker, William Burr, and Lily Chen (December 2010). SP 800-132 – Recommendation for Password-Based Key Derivation, Part 1: Storage Applications (PDF). NIST. doi:10.6028/NIST.SP.800-132.{{cite book}}: CS1 maint: multiple names: authors list (link)

Further reading

Retrieved from "https://en.wikipedia.org/w/index.php?title=Key_derivation_function&oldid=1124984977"