Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [key-derivation]

In cryptography, a key derivation function (or KDF) derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function. Keyed cryptographic hash functions are popular examples of pseudo-random functions used for key derivation.

In cryptography, a key derivation function (or KDF) derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function. Keyed cryptographic hash functions are popular examples of pseudo-random functions used for key derivation.

662 questions
68
votes
4 answers

Why does the FBI ask Apple for help to decrypt an iPhone?

The current debate of the FBI trying to get Apple to assist in decrypting an iPhone made me wonder: Normally, upon turning on an iPhone, everything is decrypted using a 4-digit pin (or actually, a key that is derived from the PIN with a strong KDF,…
RocketNuts
  • 1,397
  • 1
  • 13
  • 24
54
votes
1 answer

Password hashing security of argon2 versus bcrypt/PBKDF2?

I wonder if it can be approximated how much of a security margin the new argon2 hash, winner of the password hashing competition, can give over bcrypt or PBKDF2, for an attacker using large GPU systems. Practically speaking, if I have had a…
azren
  • 751
  • 1
  • 5
  • 7
38
votes
4 answers

How can one securely generate an asymmetric key pair from a short passphrase?

Background info: I am planning on making a filehost with which one can encrypt and upload files. To protect the data against any form of hacking, I'd like not to know the encryption key ($K$) used for a file, so the user will have to asymmetrically…
Flumble
  • 485
  • 1
  • 4
  • 6
34
votes
3 answers

How many KDF rounds for an SSH key?

What is the best practice on choosing how many key derivation function (KDF) rounds/iterations when generating an SSH key pair with ssh-keygen? Am I correct in saying that it is unnecessary if the passphrase is strong enough? Is there some kind of…
Peter Tseng
  • 443
  • 1
  • 4
  • 6
32
votes
6 answers

What is the practical impact of using System.Random which is not cryptographically random?

I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should…
learnerX
  • 687
  • 1
  • 8
  • 15
32
votes
2 answers

Key derivation functions (KDF): What are they, what are their main purposes and how they can be used?

What are KDFs? What are their main purposes? How they can be used, in other words, what's their drill in a cryptography scheme?
Samuel Paz
  • 485
  • 1
  • 4
  • 6
29
votes
4 answers

Is there a hash function that's more expensive for an attacker than for the server?

Say a server wants to hash a password $p$. It would use a secure hash function $H$ and a unique salt $s$ to hash the password as $H(p,s)$. If one has access to the salt, each password candidate requires one run of the hash function to be ruled out;…
n-l-i
  • 1,084
  • 5
  • 15
25
votes
2 answers

What is the difference between Scrypt and PBKDF2?

After reading these two resources I am wondering am I getting all the differences between Scrypt and PBKDF2. As far as I understood, the similarity is: both are password-based key derivation functions. The difference is: Scrypt is more resource…
Salvador Dali
  • 365
  • 1
  • 3
  • 7
25
votes
1 answer

Memory-hard password hash in practice?

Dan Boneh, Henry Corrigan-Gibbs, and Stuart Schechter have proposed Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks (in proceedings of AsiaCrypt 2016). Taking the abstract at face value, it is a blow…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
24
votes
6 answers

PBKDF2 and salt

I want to ask some questions about the PBKDF2 function and generally about the password-based derivation functions. Actually we use the derivation function together with the salt to provide resistance against the dictionary attacks, right? One…
thrylos_7
  • 341
  • 1
  • 2
  • 3
22
votes
2 answers

Deriving Keys for Symmetric Encryption and Authentication

So here's the concept. Rather than storing 2 keys and using a random IV, which presents its own problems (key rotation, ensuring no key is used in more than 2^32 cycles, sharing the keys, etc), is it OK to derive the cipher key, authentication key…
ircmaxell
  • 425
  • 3
  • 8
21
votes
6 answers

Why does PBKDF2 xor the iterations of the hash function together?

The definition of PBKDF2 states that I obtain a derived key (1) by calling a pseudorandom function a bunch of times recursively: $U_1 = PRF(password, salt)$ $U_2 = PRF(password, U_1)$ … $U_n = PRF(password, U_n-1)$ The standard then defines the…
Cameron Skinner
  • 313
  • 2
  • 7
20
votes
2 answers

Deterministically generate a RSA public/private key pair from a passphrase (with sufficient entropy)?

Is it possible to deterministically generate public/private RSA key pairs from passphrases? Would giving the (key generating) algorithm data made from key-stretching the passphrase (instead of a source of random data) be sufficient and…
fadedbee
  • 968
  • 1
  • 11
  • 31
20
votes
1 answer

Compressing EC private keys

For reasonable security, EC private keys are typically 256-bits. Shorter EC private keys are not sufficiently secure. However, shorter symmetric keys (128-bits, for example) are comparably secure. I have a case where I need to regenerate an EC…
David Schwartz
  • 4,739
  • 21
  • 31
19
votes
0 answers

What's the difference between a Key Derivation Function and a Password-Hash?

It seems to me that anything that was sufficiently good as a KDF would work just fine as a password hash, though the reverse might not be true. Are there considerations specific to password-hashing that don't apply to KDFs? To clarify: This is…
Jason
  • 373
  • 2
  • 7
1
2 3
44 45