<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>PBKDF Algorithms — Botan</title> <link rel="stylesheet" href="_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: './', VERSION: '1.10.17', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="_static/jquery.js"></script> <script type="text/javascript" src="_static/underscore.js"></script> <script type="text/javascript" src="_static/doctools.js"></script> <link rel="index" title="Index" href="genindex.html" /> <link rel="search" title="Search" href="search.html" /> <link rel="top" title="Botan" href="contents.html" /> <link rel="next" title="Password Hashing" href="passhash.html" /> <link rel="prev" title="Key Derivation Functions" href="kdf.html" /> </head> <body role="document"> <div class="header-wrapper"> <div class="header"> <h1>Botan</h1> </div> </div> <div class="content-wrapper"> <div class="content"> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body" role="main"> <div class="section" id="pbkdf-algorithms"> <span id="pbkdf"></span><h1>PBKDF Algorithms<a class="headerlink" href="#pbkdf-algorithms" title="Permalink to this headline">¶</a></h1> <p>There are various procedures for turning a passphrase into a arbitrary length key for use with a symmetric cipher. A general interface for such algorithms is presented in <code class="docutils literal"><span class="pre">pbkdf.h</span></code>. The main function is <code class="docutils literal"><span class="pre">derive_key</span></code>, which takes a passphrase, a salt, an iteration count, and the desired length of the output key, and returns a key of that length, deterministically produced from the passphrase and salt. If an algorithm can’t produce a key of that size, it will throw an exception (most notably, PKCS #5’s PBKDF1 can only produce strings between 1 and $n$ bytes, where $n$ is the output size of the underlying hash function).</p> <p>The purpose of the iteration count is to make the algorithm take longer to compute the final key (reducing the speed of brute-force attacks of various kinds). Most standards recommend an iteration count of at least 10000. Currently defined PBKDF algorithms are “PBKDF1(digest)”, “PBKDF2(digest)”, and “OpenPGP-S2K(digest)”; you can retrieve any of these using the <code class="docutils literal"><span class="pre">get_pbkdf</span></code>, found in <code class="docutils literal"><span class="pre">lookup.h</span></code>. As of this writing, “PBKDF2(SHA-256)” with 10000 iterations and a 16 byte salt is recommend for new applications.</p> <dl class="function"> <dt id="_CPPv2NK5PBKDF10derive_keyE6size_tRKNSt6stringEPK4byte6size_t6size_t"> <span id="PBKDF::derive_key__s.ssCR.byteCP.s.sC"></span><a class="reference internal" href="lowlevel.html#_CPPv211OctetString" title="OctetString">OctetString</a> <code class="descclassname">PBKDF::</code><code class="descname">derive_key</code><span class="sig-paren">(</span>size_t <em>output_len</em>, <em class="property">const</em> std::string &<em>passphrase</em>, <em class="property">const</em> byte *<em>salt</em>, size_t <em>salt_len</em>, size_t <em>iterations</em><span class="sig-paren">)</span> <em class="property">const</em><a class="headerlink" href="#_CPPv2NK5PBKDF10derive_keyE6size_tRKNSt6stringEPK4byte6size_t6size_t" title="Permalink to this definition">¶</a></dt> <dd><p>Computes a key from <em>passphrase</em> and the <em>salt</em> (of length <em>salt_len</em> bytes) using an algorithm-specific interpretation of <em>iterations</em>, producing a key of length <em>output_len</em>.</p> <p>Use an iteration count of at least 10000. The salt should be randomly chosen by a good random number generator (see <a class="reference internal" href="rng.html#random-number-generators"><span class="std std-ref">Random Number Generators</span></a> for how), or at the very least unique to this usage of the passphrase.</p> <p>If you call this function again with the same parameters, you will get the same key.</p> </dd></dl> <div class="highlight-cpp"><div class="highlight"><pre><span></span><span class="n">PBKDF</span><span class="o">*</span> <span class="n">pbkdf</span> <span class="o">=</span> <span class="n">get_pbkdf</span><span class="p">(</span><span class="s">"PBKDF2(SHA-256)"</span><span class="p">);</span> <span class="n">AutoSeeded_RNG</span> <span class="n">rng</span><span class="p">;</span> <span class="n">SecureVector</span><span class="o"><</span><span class="n">byte</span><span class="o">></span> <span class="n">salt</span> <span class="o">=</span> <span class="n">rng</span><span class="p">.</span><span class="n">random_vec</span><span class="p">(</span><span class="mi">16</span><span class="p">);</span> <span class="n">OctetString</span> <span class="n">aes256_key</span> <span class="o">=</span> <span class="n">pbkdf</span><span class="o">-></span><span class="n">derive_key</span><span class="p">(</span><span class="mi">32</span><span class="p">,</span> <span class="s">"password"</span><span class="p">,</span> <span class="o">&</span><span class="n">salt</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">salt</span><span class="p">.</span><span class="n">size</span><span class="p">(),</span> <span class="mi">10000</span><span class="p">);</span> </pre></div> </div> <div class="section" id="openpgp-s2k"> <h2>OpenPGP S2K<a class="headerlink" href="#openpgp-s2k" title="Permalink to this headline">¶</a></h2> <p>There are some oddities about OpenPGP’s S2K algorithms that are documented here. For one thing, it uses the iteration count in a strange manner; instead of specifying how many times to iterate the hash, it tells how many <em>bytes</em> should be hashed in total (including the salt). So the exact iteration count will depend on the size of the salt (which is fixed at 8 bytes by the OpenPGP standard, though the implementation will allow any salt size) and the size of the passphrase.</p> <p>To get what OpenPGP calls “Simple S2K”, set iterations to 0, and do not specify a salt. To get “Salted S2K”, again leave the iteration count at 0, but give an 8-byte salt. “Salted and Iterated S2K” requires an 8-byte salt and some iteration count (this should be significantly larger than the size of the longest passphrase that might reasonably be used; somewhere from 1024 to 65536 would probably be about right). Using both a reasonably sized salt and a large iteration count is highly recommended to prevent password guessing attempts.</p> </div> </div> </div> </div> </div> </div> <div class="sidebar"> <h3>Table Of Contents</h3> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="index.html">Welcome</a></li> <li class="toctree-l1"><a class="reference internal" href="reading.html">Recommended Reading</a></li> <li class="toctree-l1"><a class="reference internal" href="building.html">Building The Library</a></li> <li class="toctree-l1"><a class="reference internal" href="firststep.html">Getting Started</a></li> <li class="toctree-l1"><a class="reference internal" href="filters.html">Information Flow: Pipes and Filters</a></li> <li class="toctree-l1"><a class="reference internal" href="pubkey.html">Public Key Cryptography</a></li> <li class="toctree-l1"><a class="reference internal" href="x509.html">Certificate Handling</a></li> <li class="toctree-l1"><a class="reference internal" href="ssl.html">SSL and TLS</a></li> <li class="toctree-l1"><a class="reference internal" href="bigint.html">BigInt</a></li> <li class="toctree-l1"><a class="reference internal" href="lowlevel.html">The Low-Level Interface</a></li> <li class="toctree-l1"><a class="reference internal" href="secmem.html">Secure Memory Containers</a></li> <li class="toctree-l1"><a class="reference internal" href="kdf.html">Key Derivation Functions</a></li> <li class="toctree-l1 current"><a class="current reference internal" href="#">PBKDF Algorithms</a><ul> <li class="toctree-l2"><a class="reference internal" href="#openpgp-s2k">OpenPGP S2K</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="passhash.html">Password Hashing</a></li> <li class="toctree-l1"><a class="reference internal" href="rng.html">Random Number Generators</a></li> <li class="toctree-l1"><a class="reference internal" href="fpe.html">Format Preserving Encryption</a></li> <li class="toctree-l1"><a class="reference internal" href="python.html">Python Binding</a></li> </ul> <div role="search"> <h3 style="margin-top: 1.5em;">Search</h3> <form class="search" action="search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> </div> <div class="clearer"></div> </div> </div> <div class="footer-wrapper"> <div class="footer"> <div class="left"> <div role="navigation" aria-label="related navigaton"> <a href="kdf.html" title="Key Derivation Functions" accesskey="P">previous</a> | <a href="passhash.html" title="Password Hashing" accesskey="N">next</a> | <a href="genindex.html" title="General Index" accesskey="I">index</a> </div> <div role="note" aria-label="source link"> <br/> <a href="_sources/pbkdf.txt" rel="nofollow">Show Source</a> </div> </div> <div class="right"> <div class="footer" role="contentinfo"> © Copyright 2000-2011, Jack Lloyd. Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.4.9. </div> </div> <div class="clearer"></div> </div> </div> </body> </html>