Paper 2016/273
On the weaknesses of PBKDF2
Andrea Visconti, Simone Bossi, Hany Ragab, and Alexandro Calò
Abstract
Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50% of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.
Metadata
- Available format(s)
-
PDF
- Publication info
- Published elsewhere. Minor revision. The 14th International Conference on Cryptology and Network Security (CANS 2015)
- Keywords
- key management
- Contact author(s)
- andrea visconti @ unimi it
- History
- 2016-03-10: received
- Short URL
- https://ia.cr/2016/273
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2016/273,
author = {Andrea Visconti and Simone Bossi and Hany Ragab and Alexandro Calò},
title = {On the weaknesses of {PBKDF2}},
howpublished = {Cryptology {ePrint} Archive, Paper 2016/273},
year = {2016},
url = {https://eprint.iacr.org/2016/273}
}
