PBKDF2 (Password-Based Key Derivation Function) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.

PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. Having a salt added to the password reduces the ability to use a precomputed dictionary to attack a password (such as rainbow tables) and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.


Key derivation process

Function is defined as

DK = PBKDF2(PRF, P,S,c,dkLen)


  • PRF is a parameter of PBKDF2 - it is a pseudorandom function of two parameters with output length hLen (e.g. keyed HMAC)
  • P is the master password for which a derivation is generated
  • S is a salt
  • c number of iterations, positive integer
  • dkLen is a length of derived key
  • DK is a generated derived key

For each hLen-bit block Ti of derived key DK, computing is as follows:

DK = T1 || T2 || ... || Tdklen/hlen
Ti = F(P,S,c,i)

Where F is an xor of c iterations of chained PRF. First iteration of PRF uses master password P as PRF key and salt concatenated to i. Second and greater PRF uses P and output of previous PRF computation:

F(P,S,c,i) = U1 ^ U2 ^ ... ^ Uc
U1 = PRF(P,S || INT_msb(i))
U2 = PRF(P,U1)
Uc = PRF(P,Uc-1)

For example, WPA2 uses

 DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)

Systems that use PBKDF2

Disk encryption software

BlackBerry vulnerability

In September 2010, ElcomSoft announced a password cracking utility for Research In Motion BlackBerry device backups that takes advantage of what Vladimir Katalov, ElcomSoft's CEO, described as the "very strange way, to say the least" in which the BlackBerry uses PBKDF2. The BlackBerry encrypts backup files with AES-256. In turn, the AES key is derived from the user's password using PBKDF2. However the BlackBerry software uses only one PBKDF2 iteration.[7][8] By contrast, according to Katalov, Apple's iOS 3 uses 2000 iterations and iOS 4 uses 10,000.[9] However, iOS's key management has proven to be a more serious weakpoint.[citation needed]

Alternatives to PBKDF2

One weakness of PBKDF2 is its use of fast processing algorithms while better ones are slower (require greater processing/memory/effort to convert a passphrase into a longer key) and thus make brute force efforts less feasible. Modern alternatives include Bcrypt and scrypt.


  1. ^ http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
  2. ^ http://www.winzip.com/aes_tips.htm
  3. ^ http://www.winzip.com/gladman.cgi
  4. ^ http://help.agilebits.com/1Password/agile_keychain_design.html
  5. ^ http://blog.lastpass.com/2011/05/lastpass-security-notification.html
  6. ^ http://crypto.nsa.org/vilefault/23C3-VileFault.pdf
  7. ^ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3741
  8. ^ http://www.infoworld.com/t/mobile-device-management/you-can-no-longer-rely-encryption-protect-blackberry-436
  9. ^ http://www.mobileorchard.com/tutorial-iphone-sqlite-encryption-with-sqlcipher/

External links

  • RSA PKCS #5 – RSA Laboratories PKCS #5 v2.0 - Multiple Formats, and test vectors.
  • RFC 2898 – Specification of PKCS #5 v2.0.
  • RFC 6070 – Test vectors for PBKDF2 with HMAC-SHA1.


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • PBKDF2 — (англ. Password Based Key Derivation Function)  стандарт формирования ключа (англ.) на основе пароля. Является частью PKCS #5 v2.0 (RFC 2898). Заменил PBKDF1, который ограничивал длину порождаемого ключа 160 битами. PBKDF2… …   Википедия

  • dm-crypt — ist ein Kryptographie Modul des Device Mappers im Linux Kernel. Man kann mit dm crypt Daten mit verschiedenen Algorithmen ver und entschlüsseln, dies kann auf beliebige Gerätedateien (englisch: Devices) angewandt werden, in den meisten Fällen… …   Deutsch Wikipedia

  • bcrypt — bcrypt  адаптивная криптографическая хеш функция используемая для защищенного хранения паролей. Разработчики: Niels Provos и David Mazières. Функция основана на шифре Blowfish, впервые представлена на USENIX в 1999 году.[1] Для защиты от… …   Википедия

  • Key strengthening — In cryptography, key strengthening or key stretching refer to techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key.… …   Wikipedia

  • Password — For other uses, see Password (disambiguation). A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password… …   Wikipedia

  • Passphrase — A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both …   Wikipedia

  • Wi-Fi Protected Access — (WPA and WPA2) is a certification program administered by the Wi Fi Alliance to indicate compliance with the security protocol created by the Wi Fi Alliance to secure wireless computer networks. This protocol was created in response to several… …   Wikipedia

  • Key derivation function — KDF redirects here. For the Nazi organization, see Kraft durch Freude In cryptography, a key derivation function (or KDF) is a function which derives one or more secret keys from a secret value and/or other known information such as a password or …   Wikipedia

  • Salt (cryptography) — In cryptography, a salt consists of random bits, creating one of the inputs to a one way function. The other input is usually a password or passphrase. The output of the one way function can be stored rather than the password, and still be used… …   Wikipedia

  • Cryptography standards — There are a number of standards related to cryptography. Standard algorithms and protocols provide a focus for study; standards for popular applications attract a large amount of cryptanalysis. Contents 1 Encryption standards 2 Hash standards 3… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”