[cryptography] any reason PBKDF2 shouldn't be used for storing hashed passwords?

Ben Laurie ben at links.org
Thu Aug 16 08:25:04 EDT 2012


On Thu, Aug 16, 2012 at 1:30 AM, Patrick Mylund Nielsen
<cryptography at patrickmylund.com> wrote:
> One curious note is that NIST recommends PBKDF2 for master key derivation,
> and specifically write, "The MK [PBKDF2 output] shall not be used for other
> purposes." Perhaps the document was meant to document just KDFs. Since the
> hashes are one-way anyway, I don't see it making a difference for use as
> "password digests."

Just being cautious, I guess. I'm sure there are stupid ways to use
the MK and they are presumably hard to list.

Anyway, if you want to conform, encrypt a bunch of zeroes using the MK
and then use decryption to check correctness of password...

>
>
> On Thu, Aug 16, 2012 at 2:15 AM, Jon Callas <jon at callas.org> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> On Aug 15, 2012, at 4:50 PM, travis+ml-rbcryptography at subspacefield.org
>> wrote:
>>
>> > * PGP Signed by an unknown key
>> >
>> > Any reason PBKDF2 shouldn't be used for (storing) hashed passwords?
>> >
>>
>> My recommendation is that you should use it. It's even got a NIST
>> document, now:
>>
>> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
>>
>> To be the most rigorous, use PBKDF2-HMAC-SHA[12]. It doesn't matter a lot
>> which hash function you're using if you're doing the HMAC version. The major
>> difference will be the number of iterations. SHA2 is slower than SHA1, so
>> you'll use fewer iterations. SHA512 is faster on a 64-bit processor than
>> SHA256, which puts a small wrench in things.
>>
>> Use lots of iterations. Calibrate them against real time -- enough for
>> 100ms or more, for example, rather than a fixed count. If you're worried,
>> then add more iterations.
>>
>>         Jon
>>
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Universal 3.2.0 (Build 1672)
>> Charset: us-ascii
>>
>> wj8DBQFQLDuusTedWZOD3gYRAt0+AKC0jAKZS40IDBdYelX19y5pQ6zS5gCgpYhI
>> dYokIg8zciE7iY5NrXVWkwc=
>> =pSLW
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>
>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>



More information about the cryptography mailing list