Skip to content

Key Derivation Function

scholarly edited this page Sep 3, 2013 · 3 revisions

A key derivation function (KDF) is a deterministic algorithm to derive a key of a given size from some secret value. If two parties use the same shared secret value and the same KDF, they should always derive exactly the same key.

http://www.di-mgt.com.au/cryptoKDFs.html

https://en.wikipedia.org/wiki/Key_derivation_function

If we want the KDF to be resistant to an exhaustive search attack, we should make it computationally expensive. bcrypt and scrypt are better choices in this context than the standard PBKDF2 because they can dramatically slow down the attacker. Scrypt was designed to require a large amount of memory as well as CPU time, making a dedicated hardware cracker impractical and forcing the attacker to use ordinary computers.

[Provos, N. and D. Mazi`eres. (1999) A future-adaptable password scheme.] (http://cseweb.ucsd.edu/~mihir/papers/oem.html), particularly section 3, should be required reading for anyone implementing or selecting a password scheme.

The KDF implementation in py-bcrypt is not subject to the 192-bit output limitation of the original bcrypt. The mixing at the end (lines 145-152) mitigates the attack on 1password's use of PBKDF2 (see "3. Don’t ask more of PBKDF2 than it is ready to give") Running the output once through SHA512 would also have prevented this optimization.

The articles listed by a search for pbkdf2 on AgileBits' blog make excellent bedtime reading material. ;-)