[cryptography] is there an interation-incremental version of PBKDF2?

Jack Lloyd lloyd at randombit.net
Wed Sep 8 17:43:13 EDT 2010


On Wed, Sep 08, 2010 at 02:21:18PM -0700, Jon Callas wrote:

> Not really. PBKDF2 has the advantage that you can use any PRF in
> it. The most common PRF is some HMAC, which is a one-way
> function. You could use a two-way function like AES in it, and get
> the property you want. But if you use a two-way function, that means
> you can reverse the derived key to get the password that the key is
> derived from.

Is this really true in the case of PBKDF2? It keys the PRF based on
the password; even if your PRF is invertible, that would seem to
require keeping the key (ie, password) or the key schedule (which is
equivalent in the case of AES) available to be able to add further
iterations.

It occurs to me that you could actually re-stretch a PBKDF2 hash based
on HMAC if you kept around the chaining variables resulting from H(k ^
ipad) and H(k ^ opad); this would be sufficient to allow continuing
the chaining. Of course, if someone can get these chaining variables,
it would be a much easier target for cracking than going after PBKDF2
directly, so keeping them around in long term storage doesn't seem
like a great idea.

-Jack



More information about the cryptography mailing list