Why are KDFs slow? Is using a KDF more secure than using the original secret?Does NIST really recommend PBKDF2 for password hashing?Encrypting files securely using user supplied passwordHow are symmetric cryptographic keys stored?How to verify a password/key on subsequent key derivationsIs KeePass's method for key derivation secure?Why is the Key Derivation Function important?How secure is my software for file encryption with AES-256?
How do I weigh a kitchen island to determine what size castors to get?
How does paying extra on my mortgage affect my amortization schedule?
Sum in bash outside while read line
How much income am I getting by renting my house?
Future of iTunes and audio files in its library
How can I add just the second elements in lists of pairs?
Is it realistic that an advanced species isn't good at war?
An idiomatic word for "very little" in this context?
What does "drop" mean in this context?
If the music alphabet had more than 7 letters would octaves still sound like the same note?
Does Teshuva protect from punishment or not?
Print the sequence
How can AnyDVD destroy a DVD drive?
Is data science mathematically interesting?
Why are Starfleet vessels designed with nacelles so far away from the hull?
Is It Possible to Make a Computer Virus That Acts as an Anti-virus?
Is Having my Players Control Two Parties a Good Idea?
A Grandma Riddle
Negative feedbacks and "Language smoother"
What is the German word for: "It only works when I try to show you how it does not work"?
Is there a practical way of making democratic-like system skewed towards competence?
Can you decide not to sneak into a room after seeing your roll?
Can Slack really claim not to be a data controller?
Does Australia produce unique 'specialty steel'?
Why are KDFs slow? Is using a KDF more secure than using the original secret?
Does NIST really recommend PBKDF2 for password hashing?Encrypting files securely using user supplied passwordHow are symmetric cryptographic keys stored?How to verify a password/key on subsequent key derivationsIs KeePass's method for key derivation secure?Why is the Key Derivation Function important?How secure is my software for file encryption with AES-256?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:
In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]
Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.
- If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.
- If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)
key-management pbkdf2 kdf
add a comment
|
According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:
In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]
Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.
- If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.
- If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)
key-management pbkdf2 kdf
They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.
– Ghedipunk
9 hours ago
Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.
– mngxyuiso
9 hours ago
The secrets are typically low entropy, such as passwords.
– Ghedipunk
9 hours ago
add a comment
|
According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:
In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]
Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.
- If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.
- If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)
key-management pbkdf2 kdf
According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:
In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]
Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.
- If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.
- If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)
key-management pbkdf2 kdf
key-management pbkdf2 kdf
edited 9 hours ago
mngxyuiso
asked 9 hours ago
mngxyuisomngxyuiso
294 bronze badges
294 bronze badges
They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.
– Ghedipunk
9 hours ago
Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.
– mngxyuiso
9 hours ago
The secrets are typically low entropy, such as passwords.
– Ghedipunk
9 hours ago
add a comment
|
They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.
– Ghedipunk
9 hours ago
Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.
– mngxyuiso
9 hours ago
The secrets are typically low entropy, such as passwords.
– Ghedipunk
9 hours ago
They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.
– Ghedipunk
9 hours ago
They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.
– Ghedipunk
9 hours ago
Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.
– mngxyuiso
9 hours ago
Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.
– mngxyuiso
9 hours ago
The secrets are typically low entropy, such as passwords.
– Ghedipunk
9 hours ago
The secrets are typically low entropy, such as passwords.
– Ghedipunk
9 hours ago
add a comment
|
2 Answers
2
active
oldest
votes
Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.
KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.
For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.
add a comment
|
The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):
- Key-based key derivation functions
- Password-based key derivation functions
A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.
Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:
- The canonical algorithm for computing them uses a large, tunable amount of memory;
- Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219094%2fwhy-are-kdfs-slow-is-using-a-kdf-more-secure-than-using-the-original-secret%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.
KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.
For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.
add a comment
|
Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.
KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.
For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.
add a comment
|
Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.
KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.
For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.
Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.
KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.
For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.
answered 9 hours ago
Stephen TousetStephen Touset
4,99117 silver badges30 bronze badges
4,99117 silver badges30 bronze badges
add a comment
|
add a comment
|
The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):
- Key-based key derivation functions
- Password-based key derivation functions
A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.
Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:
- The canonical algorithm for computing them uses a large, tunable amount of memory;
- Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).
add a comment
|
The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):
- Key-based key derivation functions
- Password-based key derivation functions
A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.
Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:
- The canonical algorithm for computing them uses a large, tunable amount of memory;
- Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).
add a comment
|
The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):
- Key-based key derivation functions
- Password-based key derivation functions
A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.
Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:
- The canonical algorithm for computing them uses a large, tunable amount of memory;
- Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).
The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):
- Key-based key derivation functions
- Password-based key derivation functions
A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.
Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:
- The canonical algorithm for computing them uses a large, tunable amount of memory;
- Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).
answered 6 hours ago
Luis CasillasLuis Casillas
7,9972 gold badges19 silver badges33 bronze badges
7,9972 gold badges19 silver badges33 bronze badges
add a comment
|
add a comment
|
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219094%2fwhy-are-kdfs-slow-is-using-a-kdf-more-secure-than-using-the-original-secret%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.
– Ghedipunk
9 hours ago
Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.
– mngxyuiso
9 hours ago
The secrets are typically low entropy, such as passwords.
– Ghedipunk
9 hours ago