Cryptology ePrint Archive: Report 2016/273

On the weaknesses of PBKDF2

Andrea Visconti and Simone Bossi and Hany Ragab and Alexandro Calò

Abstract: Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50% of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.

Category / Keywords: key management

Original Publication (with minor differences): The 14th International Conference on Cryptology and Network Security (CANS 2015)

Date: received 10 Mar 2016

Contact author: andrea visconti at unimi it

Available format(s): PDF | BibTeX Citation

Version: 20160310:181315 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]