Key derivation function: Difference between revisions

In [[cryptography]], a '''key derivation function''' ('''KDF''') is a cryptographic algorithm that derives one or more [[key (cryptography)|secret key]]s from a secret value such as a master key, a [[password]], or a [[passphrase]] using a [[pseudorandom function]] (which typically uses a [[cryptographic hash function]] or [[block cipher]]).<ref>{{cite book|author=Bezzi, Michele|chapter=Data privacy |editor=Camenisch, Jan|title=Privacy and Identity Management for Life|publisher=Springer|year=2011|isbn=9783642203176|pages=185–186|chapter-url=https://books.google.com/books?id=vYxzh3C6OPUC&pg=PA185|display-authors=etal|display-editors=etal}}</ref><ref>{{citeRef web|author=Kaliski, Burt|author2=RSA Laboratories |title=RFC 2898 – PKCS #5: Password-Based Cryptography Specification, Version 2.0|work=IETF|url=https://www.ietf.org/rfc/rfc2898.txt|author2-link=RSA Laboratories 8018}}</ref><ref>{{cite web|author=Chen, Lily|title=NIST SP 800-108: Recommendation for Key Derivation Using Pseudorandom Functions|publisher = NIST|date = October 2009|url=https://csrc.nist.gov/publications/detail/sp/800-108/final }}</ref> KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a [[Diffie–Hellman key exchange]] into a symmetric key for use with [[Advanced Encryption Standard|AES]]. [[HMAC|Keyed cryptographic hash functions]] are popular examples of pseudorandom functions used for key derivation.<ref>{{cite book|author=Zdziarski, Jonathan|title=Hacking and Securing IOS Applications: Stealing Data, Hijacking Software, and How to Prevent It| publisher=O'Reilly Media|year=2012|isbn=9781449318741|pages=252–253|url=https://books.google.com/books?id=2D50GNA1ULsC&pg=PA252}}</ref>

The first{{citation needed|date=June 2015}} deliberately slow (key stretching) password-based key derivation function was called "[[crypt (C)|crypt]]" (or "crypt(3)" after its [[manual page (Unix)|man page]]), and was invented by [[Robert Morris (cryptographer)|Robert Morris]] in 1978. It would encrypt a constant (zero), using the first 8 characters of the user's password as the key, by performing 25 iterations of a modified [[Data Encryption Standard|DES]] encryption algorithm (in which a 12-bit number read from the real-time computer clock is used to perturb the calculations). The resulting 64-bit number is encoded as 11 printable characters and then stored in the [[Unix]] password file.<ref>{{cite web | url=http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | archive-url=https://web.archive.org/web/20030322053727/http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | url-status=dead | archive-date=2003-03-22 | title=Password Security: A Case History. | work=Bell Laboratories | author1=Morris, Robert | author2=Thompson, Ken | date=1978-04-03 | access-date=2011-05-09 }}</ref> While it was a great advance at the time, increases in processor speeds since the [[PDP-11]] era have made [[Brute-force attack|brute-force attacks]] against crypt [[Feasible computability|feasible]], and advances in storage have rendered the 12-bit [[Salt (cryptography)|salt]] inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong [[passphrase]]s impossible.{{citation needed|date=July 2013}}

Although high throughput is a desirable property in general-purpose hash functions, the opposite is true in password security applications in which defending against brute-force cracking is a primary concern. The growing use of [[Massively parallel|massively-parallel]] hardware such as [[Graphics processing unit|GPUs]], [[Field-programmable gate array|FPGAs]], and even [[Application-specific integrated circuit|ASICs]] for brute-force cracking has made the selection of a suitable algorithms even more critical because the good algorithm should not only enforce a certain amount of computational cost not only on CPUs, but also resist the cost/performance advantages of modern massively-parallel platforms for such tasks. Various algorithms have been designed specifically for this purpose, including [[bcrypt]], [[scrypt]] and, more recently, [[Lyra2]] and [[Argon2]] (the latter being the winner of the [[Password Hashing Competition]]). The large-scale [[Ashley Madison data breach]] in which roughly 36 million passwords hashes were stolen by attackers illustrated the importance of algorithm selection in securing passwords. Although bcrypt was employed to protect the hashes (making large scale brute-force cracking expensive and time-consuming), a significant portion of the accounts in the compromised data also contained a password hash based on the fast, general-purpose, and [[MD5#Security|insecure]] [[MD5]] algorithm, which made it possible for over 11 million of the passwords to be cracked in a matter of weeks.<ref>{{cite web|url=https://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/|title=Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked|work=[[Ars Technica]]|last=Goodin|first=Dan|date=10 September 2015|access-date=10 September 2015}}</ref>

Modern password-based key derivation functions, such as [[PBKDF2]] (specified in,{{Ref RFC 2898),|8018}} are based on a recognized cryptographic hash, such as [[SHA-2]], use more salt (at least 64 bits and chosen randomly) and a high iteration count. NIST recommends a minimum iteration count of 10,000.<ref name=sp800-63B>{{cite book | title = SP 800-63B-3 – Digital Identity Guidelines, Authentication and Lifecycle Management | publisher = NIST | date = June 2017 | doi=10.6028/NIST.SP.800-63b | author=Grassi Paul A.}}</ref>{{rp|5.1.1.2}}

<ref name=sp800-132>{{cite book |url=http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf| title = SP 800-132 – Recommendation for Password-Based Key Derivation, Part 1: Storage Applications | publisher = NIST | date = December 2010 | doi=10.6028/NIST.SP.800-132 | author=Meltem Sönmez Turan, | author2=Elaine Barker, | author3=William Burr, and| author4=Lily Chen | s2cid = 56801929 }}</ref>{{rp|5.2}}

* To derive keys of different length from the ones provided. KDFs designed for this purpose include [[HKDF]] and SSKDF. These take an 'info' bit string as an additional optional 'info' parameter, which may be crucial to bind the derived key material to application- and context-specific information.<ref name="info">{{cite journal |last1=Krawczyk |first1=Hugo |last2=Eronen |first2=Pasi |date=May 2010 |title=The 'info' Input to HKDF |url=https://datatracker.ietf.org/doc/html/rfc5869#section-3.2 |website=datatracker.ietf.org|date=May 2010 |last1=Krawczyk |first1=Hugo |last2=Eronen |first2=Pasi }} RFC 5869 (2010)</ref>

In 2013 a [[Password Hashing Competition]] was announced to choose a new, standard algorithm for password hashing. On 20 July 2015 the competition ended and [[Argon2]] was announced as the final winner. Four other algorithms received special recognition: Catena, [[Lyra2]], Makwa and [[yescrypt]].<ref>[https://password-hashing.net/ "Password Hashing Competition"]</ref>

As of May 2023, the [[OWASP|Open Worldwide Application Security Project]] (OWASP) recommends the following KDFs for password hashing, listed in order of priority:<ref name="owasp">{{cite web|url=https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html | title=Password Storage Cheat Sheet | work=OWASP Cheat Sheet Series |publisher=[[OWASP]] |accessdate=2023-05-17}}</ref>

1.# [[Argon2|Argon2id]]