One Little Method Secures You On-line, Your CryptoWallet, And Your Wi-fi: Meet The Tortoise
One Little Method Secures You On-line, Your CryptoWallet, And Your Wi-fi: Meet The Tortoise
There’s one little cybersecurity method that protects you on-line, your Crypto Wallet and your wi-fi: PBKDF2 (Password-Based Key Derivation Function 2). And, it loves being slow … in fact, the slower the better!!!!
PBKDF2 is a method used to take an input — such as random data or a passphrase — and then converts it into an encryption key of a certain size. This is then typically used with AES encryption, in order to secure the data. A 256-bit key has 32 bytes, and a 128-bit key has 16 bytes.
But there are many other hashing methods, such as MD5, SHA-1, SHA-256, and so on. So what makes PBKDF2 so special? Well, it is its slowness which is a good feature when someone is trying to crack your crypto wallet or your wi-fi. For this we have a number of rounds that we hash for … and the more the rounds, the longer it will take. Typically we use more than 2,000 rounds for a robust password, and where only a few thousand passwords can be tried per second — rather than billions for SHA-256. This slowness makes it costly to crack, and you would require GPU arrays to crack the simplest of password, and which will be costing in terms of the electricity these use. PBKDF2 also contains a salt value, and which makes it robust against rainbow tables.
So here is a calculator [here]:
Back] PBKDF2 is a key derivation function, which takes an input string, salt, and a number of rounds, and then outputs…asecuritysite.com
PBKDF2 is a slow key derivation function, which takes an input string, salt, and a number of rounds. Test vectors from RFC6070 are [here]:
Input:
P = "password" (8 octets)
S = "salt" (4 octets)
c = 1
dkLen = 20
Output:
DK = 12 0f b6 cf fc f8 b3 2c 43 e7 22 52 56 c4 f8 37 a8 65 48 c9
Input:
P = "password" (8 octets)
S = "salt" (4 octets)
c = 2
dkLen = 20
Output:
DK = ae 4d 0c 95 af 6b 46 d3 2d 0a df f9 28 f0 6d d0 2a 30 3f 8e
Input:
P = "password" (8 octets)
S = "salt" (4 octets)
c = 4096
dkLen = 20
Output:
DK = c5 e4 78 d5 92 88 c8 41 aa 53 0d b6 84 5c 4c 8d 96 28 93 a0
Input:
P = "passwordPASSWORDpassword" (24 octets)
S = "saltSALTsaltSALTsaltSALTsaltSALTsalt" (36 octets)
c = 4096
dkLen = 25
Output:
DK = 34 8c 89 db cb d3 2b 2f 32 d8 14 b8 11 6e 84 cf
2b 17 34 7e bc 18 00 18 1c
The following defines some Python code:
st = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon cactus"
salt="mnemonicBILL"
rounds=2048
keylen=64
method='hmac-sha512'
from passlib.utils.pbkdf2 import pbkdf2
import sys
if (rounds>4096):
print ("Too many rounds")
sys.Exit()
s2 = pbkdf2(st, salt, rounds, keylen=keylen, prf=method)
print ("String:\t\t",st)
print ("Salt:\t\t",salt)
print ("Rounds:\t\t",rounds)
print ("Key length:\t",keylen)
print ("Method:\t\t",method)
print ("\nHash: ",s2.hex())# d184a269b4ea26dec12ed35e432e7d687a3b2b767a74e6b01b4009f991eda6dfbcc5f98e31409db7560a5640698094dcc190a0532f1360972e4cf3a8b594f936
A sample run is:
String: passwordPASSWORDpassword
Salt: saltSALTsaltSALTsaltSALTsaltSALTsalt
Rounds: 4096
Key length: 25
Method: hmac-SHA256
Hash: 348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c
PBKDF2 is defined in RFC 2898 [here]. It is used in so many applications, such as with TrueCrypt to generate the key required to read the header information of the encrypted drive, and which stores the encryption keys, and also in WPA-2 [here] to protect the wi-fi password for the pre-shared key. It is also used to protect cryptocurrency wallets. If you’re interested, here’s an overview:
Conclusions
There you go, in an industry where things are made to go faster, PBKDF2 just loves to take things easy.