This section specifies the method for deriving a cryptographic key from a password using the Password-Based Key Derivation Function 2 (PBKDF2). The PBKDF2 algorithm is designed to produce keys that are computationally intensive to derive, thereby providing a defense against attacks such as dictionary attacks and brute force.
PBKDF2 applies a pseudorandom function (PRF) to the input password along with a salt value and iterates this process a specified number of times to produce a derived key. The iteration count is a critical security parameter and should be chosen with consideration to the desired level of security and the performance constraints of the system.
Further details on the key derivation algorithm are given in the PBKDF2 specification RFC-2898 and PBKDF2 Test Vectors RFC-6070
The security of PBKDF2 is directly related to the number of iterations, the strength of the PRF, and the length and randomness of the salt. It is recommended to use a salt that is unique to each derivation process to prevent the use of precomputed tables for deriving keys.
As per NIST SP 800-132, it is recommended to use at least 10,000 iterations for PBKDF2 when deriving keys for non-interactive applications. However, this value should be increased as computational power advances to ensure the security of the derived keys.
This section delineates the methodology for deriving cryptographic keys via the memory-hard key derivation function, Argon2. Recognized as the winner of the Password Hashing Competition in 2015, Argon2 is engineered to resist attacks from both specialized hardware and parallel computing, making it a robust choice for password hashing and key derivation.
Argon2 is a high-level key derivation function that operates with three distinct variants: Argon2d, Argon2i, and Argon2id, each tailored for different security applications. The function utilizes a large memory size, parallelism, and a variable number of iterations to thwart off-line brute-force attacks.
Memory Size: The amount of memory used by the algorithm. Iterations: The number of iterations the function is to perform. Parallelism: The number of threads and lanes that the algorithm utilizes. Salt: A unique sequence of bytes used as an input to the hash function. Tag Length: The desired length of the output key. Secret Value: An optional secret value that can be used as a key for HMAC when generating the hash.
Assign the memory to a matrix of blocks. Fill the matrix with hashes derived from the password, salt, and optional secret. Perform the specified number of iterations, mixing the blocks both within and between threads. Extract the tag of the requested length as the output of the function.
Further details on the key derivation algorithm are given in the argon2 specification and RFC-9106
The selection between Argon2d, Argon2i, and Argon2id should be made according to the threat model:
Argon2d maximizes resistance to GPU cracking attacks and is suitable for cryptocurrencies and applications without a threat from side-channel attacks. Argon2i is optimized to resist side-channel attacks and is preferable for password hashing and key derivation where the input is not secret. Argon2id is a hybrid that combines the resistance to side-channel attacks of Argon2i with the GPU cracking resistance of Argon2d, suitable for applications that require a balance of both.
As per current best practices, it is advised to allocate as much memory as is practical for the application and at least two iterations. The parallelism should be set according to the number of available processor cores. The salt should be a unique, cryptographically secure random value for each password.