PBKDF2 (Password-Based Key Derivation Function) is a key derivation function that is part of RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force's RFC 2898. It replaces an earlier standard, PBKDF1, which could only produce derived keys up to 160 bits long.
PBKDF2 applies a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations. The added computational work makes password cracking much more difficult, and is known as key stretching. When the standard was written in 2000, the recommended minimum number of iterations was 1000, but the parameter is intended to be increased over time as CPU speeds increase. Having a salt added to the password reduces the ability to use a precomputed dictionary to attack a password (such as rainbow tables) and means that multiple passwords have to be tested individually, not all at once. The standard recommends a salt length of at least 64 bits.
Key derivation process
Function is defined as
DK = PBKDF2(PRF, P,S,c,dkLen)
- PRF is a parameter of PBKDF2 - it is a pseudorandom function of two parameters with output length hLen (e.g. keyed HMAC)
- P is the master password for which a derivation is generated
- S is a salt
- c number of iterations, positive integer
- dkLen is a length of derived key
- DK is a generated derived key
For each hLen-bit block Ti of derived key DK, computing is as follows:
DK = T1 || T2 || ... || Tdklen/hlen Ti = F(P,S,c,i)
Where F is an xor of c iterations of chained PRF. First iteration of PRF uses master password P as PRF key and salt concatenated to i. Second and greater PRF uses P and output of previous PRF computation:
F(P,S,c,i) = U1 ^ U2 ^ ... ^ Uc
U1 = PRF(P,S || INT_msb(i)) U2 = PRF(P,U1) ... Uc = PRF(P,Uc-1)
For example, WPA2 uses
DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)
Systems that use PBKDF2
- Wi-Fi Protected Access (WPA and WPA2) used to secure Wi-Fi wireless networks
- Microsoft Windows Data Protection API (DPAPI)
- OpenDocument encryption used in OpenOffice.org
- WinZip's AES Encryption scheme.
- 1Password for generating encryption keys. 
- LastPass for password hashing.
- FileVault (Mac OS X) from Apple Computer
- FreeOTFE (Windows and Pocket PC PDAs); also supports mounting Linux (e.g. LUKS) volumes under Windows
- LUKS (Linux Unified Key Setup) (Linux)
- TrueCrypt (Windows, Linux, and Mac OS X)
- DiskCryptor (Windows)
- Cryptographic disk (NetBSD)
- GEOM ELI module for FreeBSD
- softraid crypto for OpenBSD
- EncFS (Linux) since v1.5.0
In September 2010, ElcomSoft announced a password cracking utility for Research In Motion BlackBerry device backups that takes advantage of what Vladimir Katalov, ElcomSoft's CEO, described as the "very strange way, to say the least" in which the BlackBerry uses PBKDF2. The BlackBerry encrypts backup files with AES-256. In turn, the AES key is derived from the user's password using PBKDF2. However the BlackBerry software uses only one PBKDF2 iteration. By contrast, according to Katalov, Apple's iOS 3 uses 2000 iterations and iOS 4 uses 10,000. However, iOS's key management has proven to be a more serious weakpoint.
Alternatives to PBKDF2
One weakness of PBKDF2 is its use of fast processing algorithms while better ones are slower (require greater processing/memory/effort to convert a passphrase into a longer key) and thus make brute force efforts less feasible. Modern alternatives include Bcrypt and scrypt.
- ^ http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/windataprotection-dpapi.asp
- ^ http://www.winzip.com/aes_tips.htm
- ^ http://www.winzip.com/gladman.cgi
- ^ http://help.agilebits.com/1Password/agile_keychain_design.html
- ^ http://blog.lastpass.com/2011/05/lastpass-security-notification.html
- ^ http://crypto.nsa.org/vilefault/23C3-VileFault.pdf
- ^ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3741
- ^ http://www.infoworld.com/t/mobile-device-management/you-can-no-longer-rely-encryption-protect-blackberry-436
- ^ http://www.mobileorchard.com/tutorial-iphone-sqlite-encryption-with-sqlcipher/
- RSA PKCS #5 – RSA Laboratories PKCS #5 v2.0 - Multiple Formats, and test vectors.
- RFC 2898 – Specification of PKCS #5 v2.0.
- RFC 6070 – Test vectors for PBKDF2 with HMAC-SHA1.
Wikimedia Foundation. 2010.