On the Weaknesses of PBKDF2

  • Andrea Visconti
  • Simone Bossi
  • Hany Ragab
  • Alexandro Calò
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9476)


Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50 % of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.


Key derivation function CPU-intensive operations  Passwords PKCS#5 Optimizations 


  1. 1.
    ARM mbed TLS, Version: 1.3.11.
  2. 2.
  3. 3.
    GNU GRUB Manual, Version: 2.00.
  4. 4.
    Libgcrypt, Version: 1.6.3.
  5. 5.
    RAR Archive Format, Version: 5.0.
  6. 6.
    Apple Inc.: Best Practices for Deploying FileVault 2. Technical report (2012).
  7. 7.
    Bossi, S., Visconti, A.: What users should know about full disk encryption based on LUKS. In: Proceedings of the 14th International Conference on Cryptology and Network Security (2015)Google Scholar
  8. 8.
    Choudary, O., Grobert, F., Metz, J.: Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption. Cryptology ePrint Archive, Report 2012/374 (2012).
  9. 9.
    Fruhwirth, C.: New methods in hard disk encryption (2005).
  10. 10.
    Fruhwirth, C.: LUKS On-Disk Format Specification Version 1.2.1 (2011).
  11. 11.
    IEEE 802.11 WG: Part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Std 802.11 i-2004 (2004)Google Scholar
  12. 12.
    Krawczyk, H.: Cryptographic Extraction and Key Derivation: The HKDF Scheme. Cryptology ePrint Archive, Report 2010/264 (2010)Google Scholar
  13. 13.
    Krawczyk, H., Bellare, M., Canetti, R.: RFC 2104: HMAC: Keyed-hashing for message authentication (1997)Google Scholar
  14. 14.
    NIST: FIPS PUB 198: The Keyed-Hash Message Authentication Code (HMAC) (2002)Google Scholar
  15. 15.
    NIST: SP 800–132: Recommendation for password-based key derivation (2010)Google Scholar
  16. 16.
    NIST: SP 800–63-2 Version 2: Electronic authentication guideline (2013)Google Scholar
  17. 17.
    RSA Laboratories: PKCS #5 V2.1: Password Based Cryptography Standard (2012)Google Scholar
  18. 18.
    Shannon, C.E.: Prediction and entropy of printed English. Bell Syst. Tech. J. 30(1), 50–64 (1951)zbMATHCrossRefGoogle Scholar
  19. 19.
    Steube, J.: Optimizing computation of Hash-Algorithms as an attacker (2013).

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Andrea Visconti
    • 1
  • Simone Bossi
    • 1
  • Hany Ragab
    • 1
  • Alexandro Calò
    • 1
  1. 1.Department of Computer ScienceUniversità degli Studi di MilanoMilanItaly

Personalised recommendations