Fixed-point arithmetic: Difference between revisions
en>Atcold m →Representation: minus instead of dash! |
|||
| Line 1: | Line 1: | ||
In [[cryptography]], a '''key derivation function''' (or KDF) derives one or more [[key (cryptography)|secret key]]s from a secret value such as a master key or other known information such as a [[password]] or [[passphrase]] using a [[pseudo-random function]].<ref>{{cite book|author=Bezzi, Michele et al|chapter=Data privacy|editors=Camenisch, Jan et al|title=Privacy and Identity Management for Life|publisher=Springer|year=2011|isbn=9783642203176|pages=185–186|url=http://books.google.com/books?id=vYxzh3C6OPUC&pg=PA185}}</ref><ref>{{cite web|author=Kaliski, Burt|coauthor=[[RSA Laboratories]]|title=RFC 2898 -- PKCS #5: Password-Based Cryptography Specification, Version 2.0|work=IETF|date=|url=https://www.ietf.org/rfc/rfc2898.txt}}</ref> Keyed [[cryptographic hash function]]s are popular examples of pseudo-random functions used for key derivation.<ref>{{cite book|author=Zdziarski, Jonathan|title=Hacking and Securing IOS Applications: Stealing Data, Hijacking Software, and How to Prevent It|publisher=O'Reilly Media|year=2012|isbn=9781449318741|pages=252–253|url=http://books.google.com/books?id=2D50GNA1ULsC&pg=PA252}}</ref> | |||
==Uses of KDFs== | |||
Key derivation functions are often used in conjunction with non-secret parameters to derive one or more keys from a common secret value (which is sometimes also referred to as "key diversification"). Such use may prevent an attacker who obtains a derived key from learning useful information about either the input secret value or any of the other derived keys. A KDF may also be used to ensure that derived keys have other desirable properties, such as avoiding "weak keys" in some specific encryption systems. | |||
The most common use of KDFs is the '''password hashing''' approach to [[cryptographic hash function#Password verification | password verification]], as used by the [[passwd]] file or [[shadow password]] file. | |||
KDFs happen to have the characteristics desired for a "password hash function", even though they weren't originally designed for this purpose. | |||
The non-secret parameters are called "[[salt (cryptography)|salt]]" in this context. | |||
In 2013 a "[[Password Hashing Competition]]" was announced to choose a new, standard algorithm for password hashing.<ref> | |||
[https://password-hashing.net "Password Hashing Competition"] | |||
</ref> | |||
Key derivation functions are often used as components of multiparty [[key-agreement protocol]]s. | |||
Examples of such key derivation functions include KDF1, defined in [[IEEE P1363|IEEE Std 1363-2000]], and similar functions in ANSI X9.42. | |||
Key derivation functions are also used to derive keys from secret passwords or passphrases. | |||
The "HMAC-based Extract-and-Expand Key Derivation Function" or "HKDF" specified in RFC 5869<ref>{{cite web|author=Krawczyk, H. & Eronen, P.|title= RFC 5869 -- HMAC-based Extract-and-Expand Key Derivation Function (HKDF)|publisher=IETF|date=May 2010|url=https://tools.ietf.org/html/rfc5869}}</ref> is a simple [[HMAC]]-based KDF, which can be used as a building block in various protocols and applications. | |||
===Key stretching=== | |||
{{main|Key stretching}} | |||
Key derivation functions are also used in applications to derive keys from secret passwords or passphrases, which typically do not have the desired properties to be used directly as cryptographic keys. In such applications, it is generally recommended that the key derivation function be made deliberately slow so as to frustrate [[brute-force attack]] or [[dictionary attack]] on the password or passphrase input value. | |||
Such use may be expressed as <math>\mathrm{DK}=\mathrm{KDF}(\mathrm{Key}, \mathrm{Salt}, \mathrm{Iterations})</math> where <math>\mathrm{DK}</math> is the derived key, <math>\mathrm{KDF}</math> is the key derivation [[subroutine|function]], <math>\mathrm{Key}</math> is the original key or password, <math>\mathrm{Salt}</math> is a random number which acts as cryptographic [[salt (cryptography)|salt]], and <math>\mathrm{Iterations}</math> refers to the number of [[iteration]]s of a sub-function. The derived key is used instead of the original key or password as the key to the system. The values of the salt and the number of iterations (if it isn't fixed) are stored with the hashed password or sent as plaintext with an encrypted message.{{citation needed|date=July 2013}} | |||
The difficulty of a [[brute force attack]] increases with the number of iterations. A practical limit on the iteration count is the unwillingness of users to tolerate a perceptible delay in logging in to a computer or seeing a decrypted message. The use of [[salt (cryptography)|salt]] prevents the attackers from precomputing a dictionary of derived keys.{{citation needed|date=July 2013}} | |||
An alternative approach, called '''key strengthening''', extends the key with a random salt, but then (unlike in key stretching) securely deletes the salt. This forces both the attacker and legitimate users to perform a brute-force search for the salt value.<ref>U. Manber, "A Simple Scheme to Make Passwords Based on One-Way Functions Much Harder to Crack," Computers & Security, v.15, n.2, 1996, pp.171-176.</ref> Although the paper that introduced key stretching <ref name="low-entropy">[http://www.schneier.com/paper-low-entropy.html Secure Applications of Low-Entropy Keys], [[John Kelsey (cryptanalyst)|J. Kelsey]], [[Bruce Schneier|B. Schneier]], C. Hall, and [[David A. Wagner|D. Wagner]] (1997)</ref> referred to this earlier technique and intentionally chose a different name, the term "key strengthening" is now often (arguably incorrectly) used to refer to key stretching. | |||
The first deliberately slow (key stretching) password-based key derivation function was called "[[Crypt (C)|crypt]]" (or "crypt(3)" after its [[Manual page (Unix)|man page]]), and was invented by [[Robert Morris (cryptographer)|Robert Morris]] in 1978 to encrypt{{Clarify|date=January 2014|reason=Does it really "encrypt" if it's never intended to be decrypted?}} [[Unix]] passwords.<ref>{{cite web | url=http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps | title=Password Security: A Case History. | work=Bell Laboratories | author=Morris, Robert; Thompson, Ken | date=1978-04-03 | accessdate=2011-05-09 }}</ref> While it was a great advance at the time, increases in processor speeds since the [[PDP-11]] era have made [[brute force attack|brute-force attacks]] against crypt feasible, and advances in storage have rendered the 12-bit salt inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong [[passphrase]]s impossible.{{citation needed|date=July 2013}} | |||
Modern password-based key derivation functions, such as [[PBKDF2]] (specified in RFC 2898), use a cryptographic hash, such as [[MD5]] or [[SHA1]], more salt (e.g. 64 bits and greater) and a high iteration count (often 1000 or more). [[NIST]] requires at least 128 bits of random salt and a NIST-approved cryptographic function, such as the SHA series or AES (MD5 is not approved).<ref>[http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf NIST SP 800-132] Section 5.1</ref> There have been proposals to use algorithms that require large amounts of computer memory and other computing resources to make [[custom hardware attack]]s more difficult to mount. One concrete instance of such an algorithm is the [[scrypt]] function, based on the concept of ''sequential memory-hard functions'',<ref>http://www.tarsnap.com/scrypt/</ref> which is used for additional securing private keys by passphrase in the [[tarsnap]] backup system. | |||
== References == | |||
{{more footnotes|date=July 2013}} | |||
{{Reflist}} | |||
== Further reading == | |||
* {{cite web | |||
| last = Percival| first = Colin | |||
| title = Stronger Key Derivation via Sequential Memory-Hard Functions | |||
| date = May 2009 | |||
| url = http://www.tarsnap.com/scrypt/scrypt.pdf | |||
| format = PDF | |||
| work = BSDCan'09 Presentation | |||
| accessdate = 2009-05-19 }} | |||
* [http://www.di-mgt.com.au/cryptoKDFs.html Key Derivation Functions] | |||
{{Cryptography navbox}} | |||
{{DEFAULTSORT:Key Derivation Function}} | |||
[[Category:Key management]] | |||
[[Category:Key derivation functions|*]] | |||
Revision as of 21:38, 13 December 2013
In cryptography, a key derivation function (or KDF) derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function.[1][2] Keyed cryptographic hash functions are popular examples of pseudo-random functions used for key derivation.[3]
Uses of KDFs
Key derivation functions are often used in conjunction with non-secret parameters to derive one or more keys from a common secret value (which is sometimes also referred to as "key diversification"). Such use may prevent an attacker who obtains a derived key from learning useful information about either the input secret value or any of the other derived keys. A KDF may also be used to ensure that derived keys have other desirable properties, such as avoiding "weak keys" in some specific encryption systems.
The most common use of KDFs is the password hashing approach to password verification, as used by the passwd file or shadow password file. KDFs happen to have the characteristics desired for a "password hash function", even though they weren't originally designed for this purpose. The non-secret parameters are called "salt" in this context. In 2013 a "Password Hashing Competition" was announced to choose a new, standard algorithm for password hashing.[4]
Key derivation functions are often used as components of multiparty key-agreement protocols. Examples of such key derivation functions include KDF1, defined in IEEE Std 1363-2000, and similar functions in ANSI X9.42.
Key derivation functions are also used to derive keys from secret passwords or passphrases.
The "HMAC-based Extract-and-Expand Key Derivation Function" or "HKDF" specified in RFC 5869[5] is a simple HMAC-based KDF, which can be used as a building block in various protocols and applications.
Key stretching
Mining Engineer (Excluding Oil ) Truman from Alma, loves to spend time knotting, largest property developers in singapore developers in singapore and stamp collecting. Recently had a family visit to Urnes Stave Church.
Key derivation functions are also used in applications to derive keys from secret passwords or passphrases, which typically do not have the desired properties to be used directly as cryptographic keys. In such applications, it is generally recommended that the key derivation function be made deliberately slow so as to frustrate brute-force attack or dictionary attack on the password or passphrase input value.
Such use may be expressed as where is the derived key, is the key derivation function, is the original key or password, is a random number which acts as cryptographic salt, and refers to the number of iterations of a sub-function. The derived key is used instead of the original key or password as the key to the system. The values of the salt and the number of iterations (if it isn't fixed) are stored with the hashed password or sent as plaintext with an encrypted message.Potter or Ceramic Artist Truman Bedell from Rexton, has interests which include ceramics, best property developers in singapore developers in singapore and scrabble. Was especially enthused after visiting Alejandro de Humboldt National Park.
The difficulty of a brute force attack increases with the number of iterations. A practical limit on the iteration count is the unwillingness of users to tolerate a perceptible delay in logging in to a computer or seeing a decrypted message. The use of salt prevents the attackers from precomputing a dictionary of derived keys.Potter or Ceramic Artist Truman Bedell from Rexton, has interests which include ceramics, best property developers in singapore developers in singapore and scrabble. Was especially enthused after visiting Alejandro de Humboldt National Park.
An alternative approach, called key strengthening, extends the key with a random salt, but then (unlike in key stretching) securely deletes the salt. This forces both the attacker and legitimate users to perform a brute-force search for the salt value.[6] Although the paper that introduced key stretching [7] referred to this earlier technique and intentionally chose a different name, the term "key strengthening" is now often (arguably incorrectly) used to refer to key stretching.
The first deliberately slow (key stretching) password-based key derivation function was called "crypt" (or "crypt(3)" after its man page), and was invented by Robert Morris in 1978 to encryptTemplate:Clarify Unix passwords.[8] While it was a great advance at the time, increases in processor speeds since the PDP-11 era have made brute-force attacks against crypt feasible, and advances in storage have rendered the 12-bit salt inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong passphrases impossible.Potter or Ceramic Artist Truman Bedell from Rexton, has interests which include ceramics, best property developers in singapore developers in singapore and scrabble. Was especially enthused after visiting Alejandro de Humboldt National Park.
Modern password-based key derivation functions, such as PBKDF2 (specified in RFC 2898), use a cryptographic hash, such as MD5 or SHA1, more salt (e.g. 64 bits and greater) and a high iteration count (often 1000 or more). NIST requires at least 128 bits of random salt and a NIST-approved cryptographic function, such as the SHA series or AES (MD5 is not approved).[9] There have been proposals to use algorithms that require large amounts of computer memory and other computing resources to make custom hardware attacks more difficult to mount. One concrete instance of such an algorithm is the scrypt function, based on the concept of sequential memory-hard functions,[10] which is used for additional securing private keys by passphrase in the tarsnap backup system.
References
Template:More footnotes 43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.
Further reading
- ↑ 20 year-old Real Estate Agent Rusty from Saint-Paul, has hobbies and interests which includes monopoly, property developers in singapore and poker. Will soon undertake a contiki trip that may include going to the Lower Valley of the Omo.
My blog: http://www.primaboinca.com/view_profile.php?userid=5889534 - ↑ Template:Cite web
- ↑ 20 year-old Real Estate Agent Rusty from Saint-Paul, has hobbies and interests which includes monopoly, property developers in singapore and poker. Will soon undertake a contiki trip that may include going to the Lower Valley of the Omo.
My blog: http://www.primaboinca.com/view_profile.php?userid=5889534 - ↑ "Password Hashing Competition"
- ↑ Template:Cite web
- ↑ U. Manber, "A Simple Scheme to Make Passwords Based on One-Way Functions Much Harder to Crack," Computers & Security, v.15, n.2, 1996, pp.171-176.
- ↑ Secure Applications of Low-Entropy Keys, J. Kelsey, B. Schneier, C. Hall, and D. Wagner (1997)
- ↑ Template:Cite web
- ↑ NIST SP 800-132 Section 5.1
- ↑ http://www.tarsnap.com/scrypt/