堆栈内存溢出
  简体   繁体   English

PBKDF2-使用SHA512生成1024位密钥长度时会发生什么?

[英]PBKDF2 - What happens when generating 1024 bits key length with SHA512?

 原文  2017-06-06 18:07:51       java/ cryptography/ pbkdf2/ secret-key

问题描述

I have this code snippet to generate key with PBKDF2. 我有此代码段以使用PBKDF2生成密钥。 

SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
        PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt.getBytes(), iterations, length);
        SecretKey key = skf.generateSecret(spec);
        byte[] res = key.getEncoded();

I am wondering how generating works when a key lengthis longer than specified SHA digest algorithm type? 我想知道当密钥长度超过指定的SHA摘要算法类型时生成如何工作?

For example - what happens when I set a key length of 1024 bits and use PBKDF2WithHmacSHA512 algorithm? 例如-当我将密钥长度设置为1024位并使用PBKDF2WithHmacSHA512算法时会发生什么? Where are 512 bits generated? 512位在哪里生成?

2 个解决方案

解决方案1
 3 已采纳  2017-06-06 23:19:17

In general it is not advised to ask for more than the hash length as each block is run through all the iterations again: 通常,不建议要求超过散列长度,因为每个块都会在所有迭代中再次运行:

According to Wikipedia (which has a somewhat more readable format than PKCS#5): 根据Wikipedia(其格式比PKCS#5更具可读性): 

 DK = T1 || T2 || ... || Tdklen/hlen Ti = F(Password, Salt, c, i)

here c is the iteration count by the way. 这里c是迭代计数。

The problem with this is that generally large amounts of key material are only used when the result is split into multiple components. 这样做的问题是, 通常仅在将结果分为多个部分时才使用大量密钥材料。 And if an attacker can verify a good password guess using only - say - the first 128 bits then the attacker has to do less work than the legitimate user of the algorithm. 而且,如果攻击者仅使用前128位(例如,前128位)就可以验证一个很好的密码猜测,那么与该算法的合法用户相比,攻击者所要做的工作就更少。

One way of resolving this is to split the output of PBKDF2 using a KBKDF such as HKDF using different labels (information that is also hashed). 解决此问题的一种方法是使用KBK(例如HKDF)使用不同的标签(信息也经过哈希处理)拆分PBKDF2的输出。 That way you can generate almost infinite amount of key material without running through all the iterations for each 512 bits. 这样,您可以生成几乎无限数量的密钥材料,而无需为每个512位进行所有迭代。

Note that 512 bits is enough for two very secure AES-256 bit keys. 请注意,对于两个非常安全的AES-256位密钥,512位就足够了。 So that's one very good reason to use SHA-512 for PBKDF2. 因此,这是将SHA-512用于PBKDF2的一个很好的理由。 Note that on 64 bit machines SHA-512 may be faster than SHA-256 while delivering more output material and security. 请注意,在64位计算机上,SHA-512可能比SHA-256 快,同时提供更多的输出资料和安全性。

解决方案2
 2  2017-06-06 20:42:05

Per PBKDF2 每个PBKDF2 

dkLen is the desired length of the derived key
DK is the generated derived key

Each hLen -bit block Ti of derived key DK , is computed as follows: 派生密钥DK每个hLen位块Ti的计算如下: 

DK = T1 || T2 || ... || Tdklen/hlen

The derived byte array can be an arbitrary length not based on the hash algorithm. 派生的字节数组可以是不基于哈希算法的任意长度。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 来自“PBKDF2WithHmacSHA512”的java散列与python CRYPT(digest_alg ='pbkdf2(1000,20,sha512)',salt = True)(密码)[0]不同 - java hash from “PBKDF2WithHmacSHA512” is differs from python CRYPT(digest_alg='pbkdf2(1000,20,sha512)', salt=True)(password)[0]) SHA512使用密钥进行散列 - SHA512 hashing with secret key android sha512示例 - android sha512 example “咸化”时,SHA512哈希提供不正确的(?)结果 - SHA512 hashing gives incorrect (?) results when “salted” Android 5 上带有 Sha256 的 PBKDF2 - PBKDF2 With Sha256 on Android 5 C#和Java中的SHA512是不同的 - SHA512 in C # and Java are different 春季启动和使用SHA512密码的LDAP - Spring boot and LDAP with SHA512 password SHA512客户端握手实现 - SHA512 client handshake implementation Jmeter如何生成哈希sha512 - Jmeter how to generate hash sha512 Keycloack 是一个 MessageDigestPasswordEncoder sha512 存在吗? - Keycloack is a MessageDigestPasswordEncoder sha512 exists?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM