1password is an excellent password management software. With it, you can easily manage your passwords, so you don't need to consider the problem of password leakage. According to 1password's official introduction, its bottom layer uses the PBKDF2 algorithm to encrypt passwords.
So where is PBKDF2 sacred? What advantages does it have that can make 1password be favored? Let's take a look.
PBKDF2 and PBKDF1
The full name of PBKDF is Password-Based Key Derivation Function. Simply put, PBKDF is a password derivative tool. Since there is PBKDF2, there must be PBKDF1, so what is the difference between the two?
PBKDF2 is one of the standards of the PKCS series. Specifically, it is version 2.0 of PKCS#5, which is also released as RFC 2898. It is a substitute for PBKDF1, why would it replace PBKDF1? That's because PBKDF1 can only generate keys with a length of 160 bits. With the rapid development of computer performance today, it can no longer meet our encryption needs. So it was replaced by PBKDF2.
In the RFC 8018 (PKCS #5 v2.1) released in 2017, it is recommended to use PBKDF2 as the standard for password hashing.
PBKDF2 and PBKDF1 are mainly used to prevent brute force cracking of passwords, so automatic adjustment of computing power is added to the design to resist the possibility of brute force cracking.
PBKDF2 actually applies the pseudorandom function PRF (pseudorandom function) to the input password and salt to generate a hash value, and then uses the hash value as an encryption key to be applied to the subsequent encryption process. By analogy, this process is repeated many times, thereby increasing the difficulty of password cracking. This process is also known as password strengthening.
Let's look at a standard PBKDF2 working flow chart:
As you can see from the figure, the initial password and salt undergo PRF operation to generate a key, and then this key is used as the next encrypted input and the password is again subjected to PRF operation to generate the subsequent key, which is repeated many times. The key is then XORed to generate the final T, and then these finally generated T are combined to generate the final password.
According to the recommendations in 2000, generally speaking, the number of traversals must be more than 1,000 to be considered safe. Of course, this number of times will also change with the enhancement of CPU computing power. This number of times can be adjusted according to safety requirements.
After traversal, why do we need to add salt? The addition of salt is to prevent rainbow table attacks on passwords. In other words, the attacker cannot pre-select and calculate the hash value of a specific password, because it cannot be predicted in advance, so the security is improved. The recommended length of standard salt is 64 bits, and the recommended salt length of the National Institute of Standards and Technology is 128 bits.
Explain the key generation process of PBKDF2 in detail
In the above section, we tell you how PBKDF2 works in an easy-to-understand way. Generally speaking, it is enough to understand this layer, but if you want to go deeper and understand the underlying principle of PBKDF2 key generation, then please pay attention to this section.
We introduced above that PBKDF2 is a function to generate a derived key. As a function, there are inputs and outputs. Let's first look at the definition of PBKDF2:
DK = PBKDF2(PRF, Password, Salt, c, dkLen)
PBKDF2 has 5 functions. Let's see what each parameter means:
- PRF is a pseudo-random hash function, we can replace it as needed, such as replacing it with an HMAC function.
- Password is the master password used to generate derivative keys.
- Salt is a sequence of bits used to add salt to the password.
- c is the number of cycles.
- dkLen is the bit length required by the generated key.
- DK is the last derived key generated.
In the previous section, we can see that the final derived key is actually composed of several parts. Each T in the above figure represents a part of the derived key. Finally, these Ts are combined to obtain the final derived key. , The formula is as follows:
DK = T1 + T2 + ⋯ + Tdklen/hlen Ti = F(Password, Salt, c, i)
The F above is the XOR chain traversed c times. The formula is as follows:
F(Password, Salt, c, i) = U1 ^ U2 ^ ⋯ ^ Uc
U1 = PRF(Password, Salt + INT_32_BE(i)) U2 = PRF(Password, U1) ⋮ Uc = PRF(Password, Uc−1)
HMAC password collision
If the PRF of PBKDF2 uses HMAC, then some very interesting questions will be sent. For HMAC, if the length of the password is greater than the acceptable range of HMAC, then the password will be hashed first, and then the hashed string will be used as the input of HMAC.
Let's take an example, if the password entered by the user is:
After one HMAC-SHA1 operation, we get:
SHA1 (hex): 65426b585154667542717027635463617226672a
Convert it to a string to get:
SHA1 (ASCII): eBkXQTfuBqp'cTcar&g*
Therefore, if the encryption method of PBKDF2-HMAC-SHA1 is used, the following two passwords generate derived keys are the same.
Disadvantages of PBKDF2
Although PBKDF2 can increase the difficulty of password cracking by adjusting the number of loop traversals. But a special processor can be developed for it, and it can be cracked with very little RAM. For this reason, encryption algorithms such as bcrypt and scrypt rely on a large amount of RAM, which makes those cheap ASIC processors useless.
The above is a brief introduction to PBKDF2. If you want to know more about it, you can refer to my other articles on cryptography.
This article has been included in http://www.flydean.com/41-pbkdf2/
The most popular interpretation, the most profound dry goods, the most concise tutorial, and many tips you don't know are waiting for you to discover!
Welcome to pay attention to my official account: "Program those things", know technology, know you better!