eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.

Paper 2016/273

On the weaknesses of PBKDF2

Andrea Visconti, Simone Bossi, Hany Ragab, and Alexandro Calò


Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50% of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.

Available format(s)
Publication info
Published elsewhere. Minor revision. The 14th International Conference on Cryptology and Network Security (CANS 2015)
key management
Contact author(s)
andrea visconti @ unimi it
2016-03-10: received
Short URL
Creative Commons Attribution


      author = {Andrea Visconti and Simone Bossi and Hany Ragab and Alexandro Calò},
      title = {On the weaknesses of PBKDF2},
      howpublished = {Cryptology ePrint Archive, Paper 2016/273},
      year = {2016},
      note = {\url{https://eprint.iacr.org/2016/273}},
      url = {https://eprint.iacr.org/2016/273}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.