<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>PBKDF Algorithms — Botan</title>
<link rel="stylesheet" href="_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: './',
VERSION: '1.10.17',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="top" title="Botan" href="contents.html" />
<link rel="next" title="Password Hashing" href="passhash.html" />
<link rel="prev" title="Key Derivation Functions" href="kdf.html" />
</head>
<body role="document">
<div class="header-wrapper">
<div class="header">
<h1>Botan</h1>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="pbkdf-algorithms">
<span id="pbkdf"></span><h1>PBKDF Algorithms<a class="headerlink" href="#pbkdf-algorithms" title="Permalink to this headline">¶</a></h1>
<p>There are various procedures for turning a passphrase into a arbitrary
length key for use with a symmetric cipher. A general interface for
such algorithms is presented in <code class="docutils literal"><span class="pre">pbkdf.h</span></code>. The main function is
<code class="docutils literal"><span class="pre">derive_key</span></code>, which takes a passphrase, a salt, an iteration count,
and the desired length of the output key, and returns a key of that
length, deterministically produced from the passphrase and salt. If an
algorithm can’t produce a key of that size, it will throw an exception
(most notably, PKCS #5’s PBKDF1 can only produce strings between 1 and
$n$ bytes, where $n$ is the output size of the underlying hash
function).</p>
<p>The purpose of the iteration count is to make the algorithm take
longer to compute the final key (reducing the speed of brute-force
attacks of various kinds). Most standards recommend an iteration count
of at least 10000. Currently defined PBKDF algorithms are
“PBKDF1(digest)”, “PBKDF2(digest)”, and “OpenPGP-S2K(digest)”; you can
retrieve any of these using the <code class="docutils literal"><span class="pre">get_pbkdf</span></code>, found in
<code class="docutils literal"><span class="pre">lookup.h</span></code>. As of this writing, “PBKDF2(SHA-256)” with 10000
iterations and a 16 byte salt is recommend for new applications.</p>
<dl class="function">
<dt id="_CPPv2NK5PBKDF10derive_keyE6size_tRKNSt6stringEPK4byte6size_t6size_t">
<span id="PBKDF::derive_key__s.ssCR.byteCP.s.sC"></span><a class="reference internal" href="lowlevel.html#_CPPv211OctetString" title="OctetString">OctetString</a> <code class="descclassname">PBKDF::</code><code class="descname">derive_key</code><span class="sig-paren">(</span>size_t <em>output_len</em>, <em class="property">const</em> std::string &<em>passphrase</em>, <em class="property">const</em> byte *<em>salt</em>, size_t <em>salt_len</em>, size_t <em>iterations</em><span class="sig-paren">)</span> <em class="property">const</em><a class="headerlink" href="#_CPPv2NK5PBKDF10derive_keyE6size_tRKNSt6stringEPK4byte6size_t6size_t" title="Permalink to this definition">¶</a></dt>
<dd><p>Computes a key from <em>passphrase</em> and the <em>salt</em> (of length
<em>salt_len</em> bytes) using an algorithm-specific interpretation of
<em>iterations</em>, producing a key of length <em>output_len</em>.</p>
<p>Use an iteration count of at least 10000. The salt should be
randomly chosen by a good random number generator (see
<a class="reference internal" href="rng.html#random-number-generators"><span class="std std-ref">Random Number Generators</span></a> for how), or at the very least
unique to this usage of the passphrase.</p>
<p>If you call this function again with the same parameters, you will
get the same key.</p>
</dd></dl>
<div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">PBKDF</span><span class="o">*</span> <span class="n">pbkdf</span> <span class="o">=</span> <span class="n">get_pbkdf</span><span class="p">(</span><span class="s">"PBKDF2(SHA-256)"</span><span class="p">);</span>
<span class="n">AutoSeeded_RNG</span> <span class="n">rng</span><span class="p">;</span>
<span class="n">SecureVector</span><span class="o"><</span><span class="n">byte</span><span class="o">></span> <span class="n">salt</span> <span class="o">=</span> <span class="n">rng</span><span class="p">.</span><span class="n">random_vec</span><span class="p">(</span><span class="mi">16</span><span class="p">);</span>
<span class="n">OctetString</span> <span class="n">aes256_key</span> <span class="o">=</span> <span class="n">pbkdf</span><span class="o">-></span><span class="n">derive_key</span><span class="p">(</span><span class="mi">32</span><span class="p">,</span> <span class="s">"password"</span><span class="p">,</span>
<span class="o">&</span><span class="n">salt</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">salt</span><span class="p">.</span><span class="n">size</span><span class="p">(),</span>
<span class="mi">10000</span><span class="p">);</span>
</pre></div>
</div>
<div class="section" id="openpgp-s2k">
<h2>OpenPGP S2K<a class="headerlink" href="#openpgp-s2k" title="Permalink to this headline">¶</a></h2>
<p>There are some oddities about OpenPGP’s S2K algorithms that are
documented here. For one thing, it uses the iteration count in a
strange manner; instead of specifying how many times to iterate the
hash, it tells how many <em>bytes</em> should be hashed in total
(including the salt). So the exact iteration count will depend on the
size of the salt (which is fixed at 8 bytes by the OpenPGP standard,
though the implementation will allow any salt size) and the size of
the passphrase.</p>
<p>To get what OpenPGP calls “Simple S2K”, set iterations to 0, and do
not specify a salt. To get “Salted S2K”, again leave the iteration
count at 0, but give an 8-byte salt. “Salted and Iterated S2K”
requires an 8-byte salt and some iteration count (this should be
significantly larger than the size of the longest passphrase that
might reasonably be used; somewhere from 1024 to 65536 would probably
be about right). Using both a reasonably sized salt and a large
iteration count is highly recommended to prevent password guessing
attempts.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h3>Table Of Contents</h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Welcome</a></li>
<li class="toctree-l1"><a class="reference internal" href="reading.html">Recommended Reading</a></li>
<li class="toctree-l1"><a class="reference internal" href="building.html">Building The Library</a></li>
<li class="toctree-l1"><a class="reference internal" href="firststep.html">Getting Started</a></li>
<li class="toctree-l1"><a class="reference internal" href="filters.html">Information Flow: Pipes and Filters</a></li>
<li class="toctree-l1"><a class="reference internal" href="pubkey.html">Public Key Cryptography</a></li>
<li class="toctree-l1"><a class="reference internal" href="x509.html">Certificate Handling</a></li>
<li class="toctree-l1"><a class="reference internal" href="ssl.html">SSL and TLS</a></li>
<li class="toctree-l1"><a class="reference internal" href="bigint.html">BigInt</a></li>
<li class="toctree-l1"><a class="reference internal" href="lowlevel.html">The Low-Level Interface</a></li>
<li class="toctree-l1"><a class="reference internal" href="secmem.html">Secure Memory Containers</a></li>
<li class="toctree-l1"><a class="reference internal" href="kdf.html">Key Derivation Functions</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">PBKDF Algorithms</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#openpgp-s2k">OpenPGP S2K</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="passhash.html">Password Hashing</a></li>
<li class="toctree-l1"><a class="reference internal" href="rng.html">Random Number Generators</a></li>
<li class="toctree-l1"><a class="reference internal" href="fpe.html">Format Preserving Encryption</a></li>
<li class="toctree-l1"><a class="reference internal" href="python.html">Python Binding</a></li>
</ul>
<div role="search">
<h3 style="margin-top: 1.5em;">Search</h3>
<form class="search" action="search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer">
<div class="left">
<div role="navigation" aria-label="related navigaton">
<a href="kdf.html" title="Key Derivation Functions"
accesskey="P">previous</a> |
<a href="passhash.html" title="Password Hashing"
accesskey="N">next</a> |
<a href="genindex.html" title="General Index"
accesskey="I">index</a>
</div>
<div role="note" aria-label="source link">
<br/>
<a href="_sources/pbkdf.txt"
rel="nofollow">Show Source</a>
</div>
</div>
<div class="right">
<div class="footer" role="contentinfo">
© Copyright 2000-2011, Jack Lloyd.
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.4.9.
</div>
</div>
<div class="clearer"></div>
</div>
</div>
</body>
</html>
