Content deleted Content added
DavidJablon (talk | contribs) Made password-based KDF a subsection. Added weak-key avoidance use. Other tweaks. |
avoiding redirect |
||
Line 17:
The difficulty of a [[brute force attack]] increases with the number of iterations. A practical limit on the iteration count is the unwillingness of users to tolerate a perceptible delay in logging in to a computer or seeing a decrypted message. The use of [[salt (cryptography)|salt]] prevents the attackers from precomputing a dictionary of derived keys.
The first deliberately-slow password-based key derivation function was called "CRYPT(3)" and was invented by [[Robert Morris (cryptographer)|Robert Morris]] during the [[1980s]] for encrypting [[Unix]] passwords. It used an iteration count of 25, a 12-bit salt and a variant of [[Data Encryption Standard|DES]] as the sub-function. (DES proper was avoided in an attempt to frustrate attacks using standard DES hardware.) It also limited passwords to a maximum of eight [[ASCII]] characters. While it seemed a great advance at the time, CRYPT(3) is now considered inadequate. The iteration count, designed for the [[PDP-11]] era, is too low, 12 bits of salt inconvenience but do not stop precomputed dictionary attacks, and the 8 character limit prevents the use of stronger [[passphrase]]s.
Modern password-based key derivation functions, such as [[PBKDF2]] (specified in RFC 2898), use a cryptographic hash, such as [[MD5]] or [[SHA1]], more salt (e.g. 64 bits) and a high iteration count (often 1000 or more). There have been proposals to use algorithms that require large amounts of computer memory and other computing resources to make [[custom hardware attack]]s more difficult to mount.
| |||