Key derivation function

Key derivation function

:"KDF" redirects here. For the Nazi organization, see Kraft durch Freude"

In cryptography, a key derivation function (or KDF) is a function which derives one or more secret keys from a secret value and/or other known information such as a password or passphrase. Key derivation functions internally often use a cryptographic hash function.

Uses of KDFs

Key derivation functions are often used in conjunction with non-secret parameters to derive one or more keys from a common secret value. Such use may prevent an attacker who obtains a derived key from learning useful information about either the input secret value or any of the other derived keys. A KDF may also be used to ensure that derived keys have other desirable properties, such as avoiding "weak keys" in some specific encryption systems.

Key derivation functions are often used as components of multi-party key-agreement protocols.Examples of such key derivation functions include KDF1, defined in IEEE Std 1363-2000, and similar functions in ANSI X9.42.

Key derivation functions are also used to derive keys from secret passwords or passphrases.

Password-based key derivation functions

Key derivation functions are also used in applications to derive keys from secret passwords or passphrases, which typically do not have the desired properties to be used directly as cryptographic keys. In such applications, it is generally recommended that the key derivation function be made deliberately slow so as to frustrate brute-force attack or dictionary attack on the password or passphrase input value.

Such use may be expressed as DK=KDF(Key, Salt, Iterations) where DK is the derived key, KDF is the key derivation function, Key is the original key or password, Salt is a random number which acts as cryptographic salt, and Iterations refers to the number of iterations of a sub-function. The derived key is used instead of the original key or password as the key to the system. The values of the salt and the number of iterations (if it isn't fixed) are stored with the hashed password or sent as plaintext with an encrypted message.

The difficulty of a brute force attack increases with the number of iterations. A practical limit on the iteration count is the unwillingness of users to tolerate a perceptible delay in logging in to a computer or seeing a decrypted message. The use of salt prevents the attackers from precomputing a dictionary of derived keys.

The first deliberately-slow password-based key derivation function was called "crypt" (or "crypt(3)" after its man page), and was invented by Robert Morris in the 1980s to encrypt Unix passwords. While it was a great advance at the time, increases in processor speeds since the PDP-11 era have made brute-force attacks against crypt feasible, and advances in storage have rendered the 12-bit salt inadequate. The crypt function's design also limits the user password to 8 characters, which limits the keyspace and makes strong passphrases impossible.

Modern password-based key derivation functions, such as PBKDF2 (specified in RFC 2898), use a cryptographic hash, such as MD5 or SHA1, more salt (e.g. 64 bits) and a high iteration count (often 1000 or more). There have been proposals to use algorithms that require large amounts of computer memory and other computing resources to make custom hardware attacks more difficult to mount.


* cite web
last = B.| first = Kaliski
authorlink = Burt Kaliski
coauthors = RSA Laboratories
title = PKCS #5: Password-Based Cryptography Specification Version 2.0
publisher = IETF
date = 2000-09
url =
format = HTML
work = RFC 2898
accessdate = 2007-07-27

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Key strengthening — In cryptography, key strengthening or key stretching refer to techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key.… …   Wikipedia

  • Key (cryptography) — In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the… …   Wikipedia

  • Derivation of the conjugate gradient method — In numerical linear algebra, the conjugate gradient method is an iterative method for numerically solving the linear system where is symmetric positive definite. The conjugate gradient method can be derived from several different perspectives,… …   Wikipedia

  • List of cryptographic key types — This glossary lists types of keys as the term is used in cryptography, as opposed to door locks. Terms that are primarily used by the U.S. National Security Agency are marked (NSA) . For classification of keys according to their usage see… …   Wikipedia

  • Glossary of cryptographic key types — This glossary lists types of keys as the term is used in cryptography, as opposed to door locks. Terms that are primarily used by the U.S. National Security Agency are marked (NSA). For classification of keys according to their usage see… …   Wikipedia

  • Cryptographic hash function — A cryptographic hash function (specifically, SHA 1) at work. Note that even small changes in the source input (here in the word over ) drastically change the resulting output, by the so called avalanche effect. A cryptographic hash function is a… …   Wikipedia

  • Derived unique key per transaction — In cryptography, Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, if a derived key is compromised, future and past transaction …   Wikipedia

  • Secure Real-time Transport Protocol — The Secure Real time Transport Protocol (or SRTP) defines a profile of RTP (Real time Transport Protocol), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast… …   Wikipedia

  • PBKDF2 — (Password Based Key Derivation Function) is a key derivation function that is part of RSA Laboratories Public Key Cryptography Standards (PKCS) series, specifically PKCS #5 v2.0, also published as Internet Engineering Task Force s RFC 2898. It… …   Wikipedia

  • RSA-KEM — (RSA Key Encapsulation Method)  механизм шифрования ключа для передачи в криптосистемах с открытым ключом. Содержание 1 Описание 1.1 Введение 1.2 Параметры …   Википедия

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.