Abstract
Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50 % of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
At the time of writing this represents 58 % of the Android devices market share (see developer.android.com).
- 2.
Readers note that the weakness is independent of the hash functions used and remains valid with any others.
References
ARM mbed TLS, Version: 1.3.11. https://tls.mbed.org/
EncFS Encrypted Filesystem. https://sites.google.com/a/arg0.net/www/encfs
GNU GRUB Manual, Version: 2.00. http://www.gnu.org/software/grub/manual/grub.html
Libgcrypt, Version: 1.6.3. https://www.gnu.org/software/libgcrypt/
RAR Archive Format, Version: 5.0. http://www.rarlab.com/technote.htm
Apple Inc.: Best Practices for Deploying FileVault 2. Technical report (2012). http://training.apple.com/pdf/WP_FileVault2.pdf
Bossi, S., Visconti, A.: What users should know about full disk encryption based on LUKS. In: Proceedings of the 14th International Conference on Cryptology and Network Security (2015)
Choudary, O., Grobert, F., Metz, J.: Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption. Cryptology ePrint Archive, Report 2012/374 (2012). https://eprint.iacr.org/2012/374.pdf
Fruhwirth, C.: New methods in hard disk encryption (2005). http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf
Fruhwirth, C.: LUKS On-Disk Format Specification Version 1.2.1 (2011). http://wiki.cryptsetup.googlecode.com/git/LUKS-standard/on-disk-format.pdf
IEEE 802.11 WG: Part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Std 802.11 i-2004 (2004)
Krawczyk, H.: Cryptographic Extraction and Key Derivation: The HKDF Scheme. Cryptology ePrint Archive, Report 2010/264 (2010)
Krawczyk, H., Bellare, M., Canetti, R.: RFC 2104: HMAC: Keyed-hashing for message authentication (1997)
NIST: FIPS PUB 198: The Keyed-Hash Message Authentication Code (HMAC) (2002)
NIST: SP 800–132: Recommendation for password-based key derivation (2010)
NIST: SP 800–63-2 Version 2: Electronic authentication guideline (2013)
RSA Laboratories: PKCS #5 V2.1: Password Based Cryptography Standard (2012)
Shannon, C.E.: Prediction and entropy of printed English. Bell Syst. Tech. J. 30(1), 50–64 (1951)
Steube, J.: Optimizing computation of Hash-Algorithms as an attacker (2013). http://hashcat.net/events/p13/js-ocohaaaa.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Visconti, A., Bossi, S., Ragab, H., Calò, A. (2015). On the Weaknesses of PBKDF2. In: Reiter, M., Naccache, D. (eds) Cryptology and Network Security. CANS 2015. Lecture Notes in Computer Science(), vol 9476. Springer, Cham. https://doi.org/10.1007/978-3-319-26823-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-26823-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26822-4
Online ISBN: 978-3-319-26823-1
eBook Packages: Computer ScienceComputer Science (R0)