Key derivation function: Difference between revisions

In [[cryptography]], a '''key derivation function''' ('''KDF''') is a cryptographic algorithm that derives one or more [[key (cryptography)|secret key]]s from a secret value such as a master key, a [[password]], or a [[passphrase]] using a [[pseudorandom function]] (which typically uses a [[cryptographic hash function]] or [[block cipher]]).<ref>{{cite book|author=Bezzi, Michele|chapter=Data privacy |editor=Camenisch, Jan|title=Privacy and Identity Management for Life|publisher=Springer|year=2011|isbn=9783642203176|pages=185–186|chapter-url=https://books.google.com/books?id=vYxzh3C6OPUC&pg=PA185|display-authors=etal|display-editors=etal}}</ref>{{Ref RFC|8018}}<ref>{{cite web|author=Chen, Lily|title=NIST SP 800-108: Recommendation for Key Derivation Using Pseudorandom Functions|publisher = NIST|date = October 2009|url=https://csrc.nist.gov/publications/detail/sp/800-108/final }}</ref> KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a [[Diffie–Hellman key exchange]] into a symmetric key for use with [[Advanced Encryption Standard|AES]]. [[HMAC|Keyed cryptographic hash functions]] are popular examples of pseudorandom functions used for key derivation.<ref>{{cite book|author=Zdziarski, Jonathan|title=Hacking and Securing IOS Applications: Stealing Data, Hijacking Software, and How to Prevent It| publisher=O'Reilly Media|year=2012|isbn=9781449318741|pages=252–253|url=https://books.google.com/books?id=2D50GNA1ULsC&pg=PA252}}</ref>fh

The first{{citation needed|date=June 2015}} deliberately slow (key stretching) password-based key derivation function was called "[[crypt (C)|crypt]]" (or "crypt(3)" after its [[manual page (Unix)|man page]]), and was invented by [[Robert Morris (cryptographer)|Robert Morris]] in 1978. It would encrypt a constant (zero), using the first 8 characters of the user's password as the key, by performing 25 iterations of a modified [[Data Encryption Standard|DES]] encryption algorithm (in which a 12-bit number read from the real-time computer clock is used to perturb the calculations). The resulting 64-bit number is encoded as 11 printable characters and then stored in the [[Unix]] password file.<ref>{{cite web | url=http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | archive-url=https://web.archive.org/web/20030322053727/http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | url-status=dead | archive-date=2003-03-22 | title=Password Security: A Case History. | work=Bell Laboratories | author1=Morris, Robert | author2=Thompson, Ken | date=1978-04-03 | access-date=2011-05-09 }}</ref> While it was a great advance at the time, increases in processor speeds since the [[PDP-11]] era have made [[Brute-force attack|brute-force attacks]] against crypt [[Feasible computability|feasible]], and advances in storage have rendered the 12-bit [[Salt (cryptography)|salt]] inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong [[passphrase]]s impossible.{{citation needed|date=July 2013}}

Although high throughput is a desirable property in general-purpose hash functions, the opposite is true in password security applications in which defending against brute-force cracking is a primary concern. The growing use of [[Massively parallel|massively-parallel]] hardware such as [[Graphics processing unit|GPUs]], [[Field-programmable gate array|FPGAs]], and even [[Application-specific integrated circuit|ASICs]] for brute-force cracking has made the selection of a suitable algorithms even more critical because the good algorithm should not only enforce a certain amount of computational cost not only on CPUs, but also resist the cost/performance advantages of modern massively-parallel platforms for such tasks. Various algorithms have been designed specifically for this purpose, including [[bcrypt]], [[scrypt]] and, more recently, [[Lyra2]] and [[Argon2]] (the latter being the winner of the [[Password Hashing Competition]]). The large-scale [[Ashley Madison data breach]] in which roughly 36 million passwords hashes were stolen by attackers illustrated the importance of algorithm selection in securing passwords. Although bcrypt was employed to protect the hashes (making large scale brute-force cracking expensive and time-consuming), a significant portion of the accounts in the compromised data also contained a password hash based on the fast, general-purpose, and [[MD5#Security|insecure]] [[MD5]] algorithm, which made it possible for over 11 million of the passwords to be cracked in a matter of weeks.<ref>{{cite web|url=https://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/|title=Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked|work=[[Ars Technica]]|last=Goodin|first=Dan|date=10 September 2015|access-date=10 September 2015}}</ref>

# [[PBKDF2]] if [[FIPS-140]] compliance is required