Practical Cryptography for Developers
master-zh
master-zh
  • Welcome
  • 前言
  • 密码学——概述
  • 哈希函数
    • 加密哈希和碰撞
    • 哈希函数:应用场景
    • 安全哈希算法
    • 哈希函数——示例
    • 练习:计算哈希值
    • 工作量证明(Proof-of-Work)哈希函数
  • MAC 和密钥派生
    • HMAC 与密钥派生
    • HMAC 计算——示例
    • 练习:计算 HMAC
    • KDF: Deriving Key from Password
    • PBKDF2
    • Modern Key Derivation Functions
    • Scrypt
    • Bcrypt
    • Linux crypt()
    • Argon2
    • Secure Password Storage
    • Exercises: Password Encryption
  • Secure Random Generators
    • Pseudo-Random Numbers - Examples
    • Secure Random Generators (CSPRNG)
    • Exercises: Pseudo-Random Generator
  • Key Exchange and DHKE
    • Diffie–Hellman Key Exchange
    • DHKE - Examples
    • Exercises: DHKE Key Exchange
  • Encryption: Symmetric and Asymmetric
  • Symmetric Key Ciphers
    • Cipher Block Modes
    • Popular Symmetric Algorithms
    • The AES Cipher - Concepts
    • AES Encrypt / Decrypt - Examples
    • Ethereum Wallet Encryption
    • Exercises: AES Encrypt / Decrypt
    • ChaCha20-Poly1305
    • Exercises: ChaCha20-Poly1305
  • Asymmetric Key Ciphers
    • The RSA Cryptosystem - Concepts
    • RSA Encrypt / Decrypt - Examples
    • Exercises: RSA Encrypt / Decrypt
    • Elliptic Curve Cryptography (ECC)
    • ECDH Key Exchange
    • ECDH Key Exchange - Examples
    • Exercises: ECDH Key Exchange
    • ECC Encryption / Decryption
    • ECIES Hybrid Encryption Scheme
    • ECIES Encryption - Example
    • Exercises: ECIES Encrypt / Decrypt
  • Digital Signatures
    • RSA Signatures
    • RSA: Sign / Verify - Examples
    • Exercises: RSA Sign and Verify
    • ECDSA: Elliptic Curve Signatures
    • ECDSA: Sign / Verify - Examples
    • Exercises: ECDSA Sign and Verify
    • EdDSA and Ed25519
    • EdDSA: Sign / Verify - Examples
    • Exercises: EdDSA Sign and Verify
  • Quantum-Safe Cryptography
    • Quantum-Safe Signatures - Example
    • Quantum-Safe Key Exchange - Example
    • Quantum-Safe Asymmetric Encryption - Example
  • More Cryptographic Concepts
    • Digital Certificates - Example
    • TLS - Example
    • One-Time Passwords (OTP) - Example
  • Crypto Libraries for Developers
    • JavaScript Crypto Libraries
    • Python Crypto Libraries
    • C# Crypto Libraries
    • Java Crypto Libraries
  • Conclusion
Powered by GitBook
On this page
  • Key Derivation Functions - Concepts
  • Cryptographic Key Derivation Functions

Was this helpful?

  1. MAC 和密钥派生

KDF: Deriving Key from Password

Previous练习:计算 HMACNextPBKDF2

Last updated 5 years ago

Was this helpful?

Now let's explain in details how to securely derive a key from a password and the most popular key derivation functions (KDFs) used in practice: , , and .

[TODO: explain the Linux crypt: SHA-512 key derivation]

We shall discuss the strong and weak sides of the above mentioned KDFs and when to use them.

Key Derivation Functions - Concepts

In cryptography we often use passwords instead of binary keys, because passwords are easier to remember, to write down and can be shorter.

When a certain algorithm needs a key (e.g. for encryption or for digital signing) a key derivation function (password -> key) is needed.

We already noted that using SHA-256(password) as key-derivation is insecure! It is vulnerable to many attacks: brute-forcing, dictionary attacks, rainbow attacks and others, which may reverse the hash in practice and attacker can obtain the password.

Cryptographic Key Derivation Functions

, , and are significantly stronger key derivation functions and are designed to survive password guessing (brute force) attacks.

By design secure key derivation functions use salt (random number, which is different for each key derivation) + many iterations (to speed-down eventual password guessing process). This is a process, known as .

To calculate a secure KDF it takes some CPU time to derive the key (e.g. 0.2 sec) + some memory (RAM). Thus deriving the key is "computationally expensive", so password cracking will also be computationally expensive.

When a modern KDF function is used with appropriate config parameters, cracking passwords will be slow (e.g. 5-10 attempts per second, instead of thousands or millions attempts per second).

All of the above mentioned key-derivation algorithms (, , and ) are not patented and royalty-free for public use.

Let's learn more about these modern KDF.

PBKDF2
Bcrypt
Scrypt
Argon2
PBKDF2
Bcrypt
Scrypt
Argon2
key stretching
PBKDF2
Bcrypt
Scrypt
Argon2