Password-based key derivation functions are of particular interest in cryptography because they (a) input a password/passphrase (which usually is short and lacks enough entropy) and derive a cryptographic key; (b) slow down brute force and dictionary attacks as much as possible. In PKCS#5 [17], RSA Laboratories described a password based key derivation function called PBKDF2 that has been widely adopted in many security related applications [6, 7, 11]. In order to slow down brute force attacks, PBKDF2 introduce CPU-intensive operations based on an iterated pseudorandom function. Such a pseudorandom function is HMAC-SHA-1 by default. In this paper we show that, if HMAC-SHA-1 is computed in a standard mode without following the performance improvements described in the implementation note of RFC 2104 [13] and FIPS 198-1 [14], an attacker is able to avoid 50 % of PBKDF2’s CPU intensive operations, by replacing them with precomputed values. We note that a number of well-known and widely-used crypto libraries are subject to this vulnerability.In addition to such a vulnerability, we describe some other minor optimizations that an attacker can exploit to reduce even more the key derivation time.
[1]
Hugo Krawczyk,et al.
Cryptographic Extraction and Key Derivation: The HKDF Scheme
,
2010,
IACR Cryptol. ePrint Arch..
[2]
Hugo Krawczyk,et al.
HMAC: Keyed-Hashing for Message Authentication
,
1997,
RFC.
[3]
Tim Güneysu,et al.
Evaluation of Standardized Password-Based Key Derivation against Parallel Processing Platforms
,
2012,
ESORICS.
[4]
Clemens Fruhwirth,et al.
New Methods in Hard Disk Encryption
,
2005
.
[5]
Claude E. Shannon,et al.
Prediction and Entropy of Printed English
,
1951
.
[6]
Andrea Visconti,et al.
What Users Should Know About Full Disk Encryption Based on LUKS
,
2015,
CANS.
[7]
Tore Kasper Frederiksen.
Using CUDA for Exhaustive Password Recovery
,
2011
.
[8]
Omar Choudary,et al.
Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption
,
2012,
IACR Cryptol. ePrint Arch..
[9]
F. Frances Yao,et al.
Design and analysis of password-based key derivation functions
,
2005,
IEEE Transactions on Information Theory.