[cryptography] any reason PBKDF2 shouldn't be used for storing hashed passwords?
ben at links.org
Thu Aug 16 08:25:04 EDT 2012
On Thu, Aug 16, 2012 at 1:30 AM, Patrick Mylund Nielsen
<cryptography at patrickmylund.com> wrote:
> One curious note is that NIST recommends PBKDF2 for master key derivation,
> and specifically write, "The MK [PBKDF2 output] shall not be used for other
> purposes." Perhaps the document was meant to document just KDFs. Since the
> hashes are one-way anyway, I don't see it making a difference for use as
> "password digests."
Just being cautious, I guess. I'm sure there are stupid ways to use
the MK and they are presumably hard to list.
Anyway, if you want to conform, encrypt a bunch of zeroes using the MK
and then use decryption to check correctness of password...
> On Thu, Aug 16, 2012 at 2:15 AM, Jon Callas <jon at callas.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> On Aug 15, 2012, at 4:50 PM, travis+ml-rbcryptography at subspacefield.org
>> > * PGP Signed by an unknown key
>> > Any reason PBKDF2 shouldn't be used for (storing) hashed passwords?
>> My recommendation is that you should use it. It's even got a NIST
>> document, now:
>> To be the most rigorous, use PBKDF2-HMAC-SHA. It doesn't matter a lot
>> which hash function you're using if you're doing the HMAC version. The major
>> difference will be the number of iterations. SHA2 is slower than SHA1, so
>> you'll use fewer iterations. SHA512 is faster on a 64-bit processor than
>> SHA256, which puts a small wrench in things.
>> Use lots of iterations. Calibrate them against real time -- enough for
>> 100ms or more, for example, rather than a fixed count. If you're worried,
>> then add more iterations.
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGP Universal 3.2.0 (Build 1672)
>> Charset: us-ascii
>> -----END PGP SIGNATURE-----
>> cryptography mailing list
>> cryptography at randombit.net
> cryptography mailing list
> cryptography at randombit.net
More information about the cryptography