Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6,7,11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50% of PBKDF2's CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability. In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.

On the weaknesses of PBKDF2 / A. Visconti, S. Bossi, H. Ragab, A. Cal(`o) (LECTURE NOTES IN COMPUTER SCIENCE). - In: Cryptology and Network Security / [a cura di] M. Reiter, D. Naccache. - [s.l] : Springer, 2015. - ISBN 978-3-319-26822-4. - pp. 119-126 (( Intervento presentato al 14. convegno CANS tenutosi a Marrakesh nel 2015 [10.1007/978-3-319-26823-1_9].

On the weaknesses of PBKDF2

A. Visconti
Primo
;
2015

Abstract

Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6,7,11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50% of PBKDF2's CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability. In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.
Key derivation function; CPU-intensive operations; Passwords; PKCS#5; Optimizations
Settore INF/01 - Informatica
2015
Book Part (author)
File in questo prodotto:
File Dimensione Formato  
IACR_2016-273.pdf

accesso riservato

Tipologia: Pre-print (manoscritto inviato all'editore)
Dimensione 815.88 kB
Formato Adobe PDF
815.88 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
978-3-319-26823-1_9.pdf

accesso riservato

Tipologia: Publisher's version/PDF
Dimensione 876.03 kB
Formato Adobe PDF
876.03 kB Adobe PDF   Visualizza/Apri   Richiedi una copia
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/1010508
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 19
  • ???jsp.display-item.citation.isi??? 6
social impact