Key derivation function: Difference between revisions

In [[cryptography]], a '''key derivation function''' ('''KDF''') is a cryptographic algorithm that derives one or more [[key (cryptography)|secret key]]s from a secret value such as a master key, a [[password]], or a [[passphrase]] using a [[pseudorandom function]] (which typically uses a [[cryptographic hash function]] or [[block cipher]]).<ref>{{cite book|author=Bezzi, Michele|chapter=Data privacy |editor=Camenisch, Jan|title=Privacy and Identity Management for Life|publisher=Springer|year=2011|isbn=9783642203176|pages=185–186|chapter-url=https://books.google.com/books?id=vYxzh3C6OPUC&pg=PA185|display-authors=etal|display-editors=etal}}</ref><ref>{{cite web|author=Kaliski, Burt|author2=RSA Laboratories |title=RFC 2898 – PKCS #5: Password-Based Cryptography Specification, Version 2.0|work=IETF|url=https://www.ietf.org/rfc/rfc2898.txt|author2-link=RSA Laboratories }}</ref><ref>{{cite web|author=Chen, Lily|title=NIST SP 800-108: Recommendation for Key Derivation Using Pseudorandom Functions|publisher = NIST|date = October 2009|url=https://csrc.nist.gov/publications/detail/sp/800-108/final }}</ref> KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a [[Diffie–Hellman key exchange]] into a symmetric key for use with [[Advanced Encryption Standard|AES]]. [[HMAC|Keyed cryptographic hash functions]] are popular examples of pseudorandom functions used for key derivation.<ref>{{cite book|author=Zdziarski, Jonathan|title=Hacking and Securing IOS Applications: Stealing Data, Hijacking Software, and How to Prevent It|publisher=O'Reilly Media|year=2012|isbn=9781449318741|pages=252–253|url=https://books.google.com/books?id=2D50GNA1ULsC&pg=PA252}}</ref>

 

The first{{citation needed|date=June 2015}} deliberately slow (key stretching) password-based key derivation function was called "[[crypt (C)|crypt]]" (or "crypt(3)" after its [[manual page (Unix)|man page]]), and was invented by [[Robert Morris (cryptographer)|Robert Morris]] in 1978. It would encrypt a constant (zero), using the first 8 characters of the user's password as the key, by performing 25 iterations of a modified [[Data Encryption Standard|DES]] encryption algorithm (in which a 12-bit number read from the real-time computer clock is used to perturb the calculations). The resulting 64-bit number is encoded as 11 printable characters and then stored in the [[Unix]] password file.<ref>{{cite web | url=http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | archive-url=https://web.archive.org/web/20030322053727/http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | url-status=dead | archive-date=2003-03-22 | title=Password Security: A Case History. | work=Bell Laboratories | author1=Morris, Robert | author2=Thompson, Ken | date=1978-04-03 | access-date=2011-05-09 }}</ref> While it was a great advance at the time, increases in processor speeds since the [[PDP-11]] era have made brute-force attacks against crypt feasible, and advances in storage have rendered the 12-bit salt inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong [[passphrase]]s impossible.{{citation needed|date=July 2013}}