Why are KDFs slow? Is using a KDF more secure than using the original secret?Does NIST really recommend PBKDF2 for password hashing?Encrypting files securely using user supplied passwordHow are symmetric cryptographic keys stored?How to verify a password/key on subsequent key derivationsIs KeePass's method for key derivation secure?Why is the Key Derivation Function important?How secure is my software for file encryption with AES-256?

How do I weigh a kitchen island to determine what size castors to get?

How does paying extra on my mortgage affect my amortization schedule?

Sum in bash outside while read line

How much income am I getting by renting my house?

Future of iTunes and audio files in its library

How can I add just the second elements in lists of pairs?

Is it realistic that an advanced species isn't good at war?

An idiomatic word for "very little" in this context?

What does "drop" mean in this context?

If the music alphabet had more than 7 letters would octaves still sound like the same note?

Does Teshuva protect from punishment or not?

Print the sequence

How can AnyDVD destroy a DVD drive?

Is data science mathematically interesting?

Why are Starfleet vessels designed with nacelles so far away from the hull?

Is It Possible to Make a Computer Virus That Acts as an Anti-virus?

Is Having my Players Control Two Parties a Good Idea?

A Grandma Riddle

Negative feedbacks and "Language smoother"

What is the German word for: "It only works when I try to show you how it does not work"?

Is there a practical way of making democratic-like system skewed towards competence?

Can you decide not to sneak into a room after seeing your roll?

Can Slack really claim not to be a data controller?

Does Australia produce unique 'specialty steel'?



Why are KDFs slow? Is using a KDF more secure than using the original secret?


Does NIST really recommend PBKDF2 for password hashing?Encrypting files securely using user supplied passwordHow are symmetric cryptographic keys stored?How to verify a password/key on subsequent key derivationsIs KeePass's method for key derivation secure?Why is the Key Derivation Function important?How secure is my software for file encryption with AES-256?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









2

















According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:




In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]




Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.



  • If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.

  • If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)









share|improve this question




























  • They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.

    – Ghedipunk
    9 hours ago












  • Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.

    – mngxyuiso
    9 hours ago











  • The secrets are typically low entropy, such as passwords.

    – Ghedipunk
    9 hours ago

















2

















According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:




In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]




Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.



  • If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.

  • If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)









share|improve this question




























  • They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.

    – Ghedipunk
    9 hours ago












  • Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.

    – mngxyuiso
    9 hours ago











  • The secrets are typically low entropy, such as passwords.

    – Ghedipunk
    9 hours ago













2












2








2


1






According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:




In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]




Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.



  • If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.

  • If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)









share|improve this question
















According to the Wikipedia page for key derivation functions, a KDF's purpose is to derive a secret key for cryptography:




In cryptography, a key derivation function (KDF) derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function.[1][2] KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.[3]




Let's assume we just completed a Curve25519 key exchange, and we want to use the key for a symmetric algorithm, e.g. AES.



  • If the raw shared secret can be used as a key for the symmetric cipher, does using a KDF provide any security benefits? (Assuming that the KDF's output can also be used in the symmetric cipher.

  • If the raw secret cannot be used as a key for the cipher, we apply a KDF to it. In this case, why does the KDF have to be slow? (Or is this property of a KDF just for specific cases, but not this one?)






key-management pbkdf2 kdf






share|improve this question















share|improve this question













share|improve this question




share|improve this question



share|improve this question








edited 9 hours ago







mngxyuiso

















asked 9 hours ago









mngxyuisomngxyuiso

294 bronze badges




294 bronze badges















  • They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.

    – Ghedipunk
    9 hours ago












  • Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.

    – mngxyuiso
    9 hours ago











  • The secrets are typically low entropy, such as passwords.

    – Ghedipunk
    9 hours ago

















  • They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.

    – Ghedipunk
    9 hours ago












  • Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.

    – mngxyuiso
    9 hours ago











  • The secrets are typically low entropy, such as passwords.

    – Ghedipunk
    9 hours ago
















They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.

– Ghedipunk
9 hours ago






They're slow to reduce the effectiveness of brute-force attempts. If they can only guess once per second, per CPU that they're using, it'll take them longer to guess the correct secret than if they could guess hundreds of thousands of times per second per CPU.

– Ghedipunk
9 hours ago














Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.

– mngxyuiso
9 hours ago





Does that really matter if the key is unknown? E.g. if we perform a key exchange, the adversary has a range of possible values of the ECC secret and a range of PBKDF values. If we're using a KDF dervied key K, then finding the preimage to the KDF-ed doesn't matter right? The only thing that matters is finding the key used.

– mngxyuiso
9 hours ago













The secrets are typically low entropy, such as passwords.

– Ghedipunk
9 hours ago





The secrets are typically low entropy, such as passwords.

– Ghedipunk
9 hours ago










2 Answers
2






active

oldest

votes


















5


















Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.



KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.



For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.






share|improve this answer

































    2


















    The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):



    • Key-based key derivation functions

    • Password-based key derivation functions

    A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.



    Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:



    • The canonical algorithm for computing them uses a large, tunable amount of memory;

    • Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).





    share|improve this answer



























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );














      draft saved

      draft discarded
















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219094%2fwhy-are-kdfs-slow-is-using-a-kdf-more-secure-than-using-the-original-secret%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown


























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      5


















      Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.



      KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.



      For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.






      share|improve this answer






























        5


















        Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.



        KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.



        For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.






        share|improve this answer




























          5














          5










          5









          Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.



          KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.



          For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.






          share|improve this answer














          Not all KDFs are slow! Something like HKDF is extremely fast, and only involves a handful of invocations to the underlying PRF.



          KDFs are only slow when they're intended to convert a potentially low-entropy input—like a password—to a high-entropy output such as an encryption key or a password verifier. In this scenario, such functions are designed to be slow in order to add computation time as if the attacker were trying to brute force a secret with higher entropy than the one actually used.



          For something like a shared secret after a Curve25519 key exchange, you would generally prefer a fast KDF. For instance, the Noise protocol framework uses HDKF to generate encryption keys from a shared secret derived from curve multiplication. While you can use a raw shared secret as a key directly, most protocols in practice use some form of a KDF to allow for features like forward secrecy.







          share|improve this answer













          share|improve this answer




          share|improve this answer



          share|improve this answer










          answered 9 hours ago









          Stephen TousetStephen Touset

          4,99117 silver badges30 bronze badges




          4,99117 silver badges30 bronze badges


























              2


















              The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):



              • Key-based key derivation functions

              • Password-based key derivation functions

              A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.



              Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:



              • The canonical algorithm for computing them uses a large, tunable amount of memory;

              • Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).





              share|improve this answer






























                2


















                The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):



                • Key-based key derivation functions

                • Password-based key derivation functions

                A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.



                Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:



                • The canonical algorithm for computing them uses a large, tunable amount of memory;

                • Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).





                share|improve this answer




























                  2














                  2










                  2









                  The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):



                  • Key-based key derivation functions

                  • Password-based key derivation functions

                  A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.



                  Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:



                  • The canonical algorithm for computing them uses a large, tunable amount of memory;

                  • Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).





                  share|improve this answer














                  The confusion here is that there are two distinct kinds of key generation function, and people often say "key derivation function" without being explicit which one they mean (or even understanding there are two):



                  • Key-based key derivation functions

                  • Password-based key derivation functions

                  A key-based derivation function like HKDF presupposes that the inputs may be biased or partially predictable, but that otherwise it has enough min-entropy to be reliably unguessable. The shared secret produced by a Diffie-Hellman exchange is one of the textbook examples.



                  Password-based functions, on the other hand, assume that the inputs have low entropy, and thus they're designed to impose as high a cost as reasonable to a guessing attacks (without becoming unbearably costly to the honest parties). Slowing down the computation by having a high number of iterations is the classic technique, but newer functions like scrypt and Argon2 go beyond this and aim to be memory-hard:



                  • The canonical algorithm for computing them uses a large, tunable amount of memory;

                  • Any algorithm for computing the function that uses less memory than the canonical one should pay a very high time penalty (adverse time-memory tradeoff).






                  share|improve this answer













                  share|improve this answer




                  share|improve this answer



                  share|improve this answer










                  answered 6 hours ago









                  Luis CasillasLuis Casillas

                  7,9972 gold badges19 silver badges33 bronze badges




                  7,9972 gold badges19 silver badges33 bronze badges































                      draft saved

                      draft discarded















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f219094%2fwhy-are-kdfs-slow-is-using-a-kdf-more-secure-than-using-the-original-secret%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown









                      Popular posts from this blog

                      Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                      Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                      Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її