Paper 2016/273

On the weaknesses of PBKDF2

Andrea Visconti, Simone Bossi, Hany Ragab, and Alexandro Calò

Abstract

Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50% of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. The 14th International Conference on Cryptology and Network Security (CANS 2015)
Keywords
key management
Contact author(s)
andrea visconti @ unimi it
History
2016-03-10: received
Short URL
https://ia.cr/2016/273
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2016/273,
      author = {Andrea Visconti and Simone Bossi and Hany Ragab and Alexandro Calò},
      title = {On the weaknesses of PBKDF2},
      howpublished = {Cryptology ePrint Archive, Paper 2016/273},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/273}},
      url = {https://eprint.iacr.org/2016/273}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.