0

I'm trying to grasp which benefit can KDF like PBKDF2, scrypt and bcrypt (I know that bcrypt is technically not KDF) may bring over hashing in loop like sha256sum(sha256sum(sha256sum.....(salt + master password))) - N times, where N equals to some big number.

Ghost Rider
  • 343
  • 2
  • 7
  • bcrypt is definitely a KDF, based on a block cipher but definitely a KDF and the first good one. PKKDF2 OTOH isn't a good KDF. The Introduction the Argon2 spec PDF explains a lot of what a good KDF needs : https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf – Bruno Rohée Sep 20 '22 at 16:05
  • See https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py for a good example of a pbkdf2 function implemented in python. As you can see, it works the way you describe in your question, i.e. N iterations of a loop containing a cryptographic primitive. – mti2935 Sep 20 '22 at 19:23
  • @BrunoRohée according to wikipedia - https://en.wikipedia.org/wiki/Bcrypt - ```It is important to note that bcrypt is not a key derivation function (KDF). For example you cannot use bcrypt to derive a 512-bit key from a password. ``` – Ghost Rider Sep 21 '22 at 07:13
  • It cannot compute arbitrary long key, but up to 192 bits is adequate for many applications. Not that any greenfield application should used bcrypt. – Bruno Rohée Sep 21 '22 at 11:42
  • @BrunoRohée got it, I came across a few articles where bcrypt was described as password hashing algorithm, not kdf, as it is limited in derived key length. For example - https://crypto.stackexchange.com/a/70783 But seems like people tend to use as KDF and don't really care about length limitation in 192 bits. – Ghost Rider Sep 21 '22 at 12:07
  • 1
    The issue is that I don't think there is a unanimously accepted definition of what a KDF is. bcrypt+key stretching definitely is a generic KDF in any case. – Bruno Rohée Sep 21 '22 at 12:14
  • @BrunoRohée I reread wiki page of bcrypt, as I understood in nutshell it simply do Blowfish in loop like `Blowfish(Blowfish(...(secret, salt)))` - similarly to what I described in a question but with fast hashing alogortihm - sha256. Answering my own questions - the `sha256sum(sha256sum(sha256sum.....(salt + master password)))` may be treated as as KDF for password hashing in a similar way to pbkdf2? – Ghost Rider Sep 21 '22 at 13:18
  • 1
    Yes but a pretty bad one, as it is ASIC/FPGA friendly, GPU friendly, and have no memory hardness whatsoever. bcrypt is at least ASIC unfriendly. – Bruno Rohée Sep 21 '22 at 15:27
  • it's a about using the right tool for the job, and choosing a tool which is battle tested for the specific crypto application. a looped hash isn't bad per se, but it's adhoc implementation introduces unneeded unknowns to security evaluations, expansions, and impacts. – dandavis Sep 21 '22 at 19:14

0 Answers0