PBKDF2 recommended key size? - McMap

About

PBKDF2 recommended key size?

Asked 8/6, 2012 at 6:8 Answered 8/6, 2012 at 8:2

Solved php mysql security sha pbkdf2

S

1

3

My function is as follows:

pbkdf2($raw_pw,$salt,1000,128)

1000 is the number of passes, and 128 is the key size. The function returns a binary key which I use base64 to store it in the database.

My question is: what's the recommended keysize and salt size for pbkdf2 using sha512?

will a keysize of 32 be just as secure as a keysize of 128?

Subsidiary answered 8/6, 2012 at 6:8 Comment(1)

Whoops. Why are you storing the derived key in a database? Generally that is a bad idea. – Macrobiotic 8/6, 2012 at 6:34

R

6

1000 is the number of iterations, not passes. 128 Is the length at the end.

According to Wikipedia (and my own little knowledge about cryptography) you should use more than 128 bits (or 32 as you're asking). The size of the resulting key is equivalent to the chance for a hash collision. Using 256 (as WPA2 does) or 512 should not be a problem, also not a problem for your CPU/memory/whatever.

Also 1000 is, compared to other integrations of pbkdf2, a very small amount of iterations. You can easily use 5000 or 10000 (like iOS4) which might result in something like 10ms more processing time but makes a way more stronger key (see: a possible attacker has also to run the 10k iterations. This might change the time he needs from 1 day to 10 days, or 1 month to almost 1 year).

Rheo answered 8/6, 2012 at 8:2 Comment(1)

Is there a subtle difference between iteration and passes that I am missing? I would have used them interchangeably. – Tensimeter 22/9, 2018 at 3:46

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.