pbkdf2 sha1 with 32 bits

Skip to first unread message

Roland van Laar

Jun 23, 2014, 10:17:35 AM6/23/14
to passli...@googlegroups.com

I want to use a pbkdf2 sha1 with 32 bytes. The preconfigured pbkdf2_sha1 in passlib uses
20 bits.

What is the best way to define a pbkdf2_sha1 with 32 bytes?

I would like to use create_pbkdf2_hash, but this function is not importable
because the __all__ doesn't include it.

The only way I could find was specifying pbkdf2_sha1.checksum_size = 32


Roland van Laar

Eli Collins

Jun 23, 2014, 11:44:38 AM6/23/14
to passli...@googlegroups.com
Hi Roland -

For the current release of passlib, the easiest way would probably be to subclass pbkdf2_sha1:

from passlib.hash import pbkdf2_sha1
class pbkdf2_sha1_32(pbkdf2_sha1):
    checksum_size = 32

That said, what you want isn't any more secure than pbkdf2_sha1 with 20 bytes; indirectly, it's actually *less* secure:

The way PBKDF2 implements "key stretching" is that it generates and concatenates blocks of <digest size> bytes, using a function based on the underlying digest algorithm (sha1 in this case).   So when you ask for 32 bytes of output, what actually happens is that it must calculate two 20 byte blocks (the sha1 digest size).  The catch is that each of these blocks can be calculated independently of each other.  And that's why increasing the digest size isn't any more secure: all your attacker has to do is calculate the first block in order to brute force the password, and they can just ignore the second block.

The reason it's actually *less* secure is because you're having to do work that your attacker isn't: by calculating the second block every time you verify a password, your passwords will either 1) take longer for you to calculate (but not for your attacker, who can skip the second block), or 2) force you to reduce the time-cost (the number of pbkdf2 rounds) in order to maintain your old runtime (thus reducing your attacker's workload even more).  In either case, your attacker's passwords/second rate increases in comparison to yours ... an advantage you *don't* want to give them.

If you want a 32 byte digest, I'd strongly recommend switching to pbkdf2_sha256, or stick with pbkdf1_sha1 as it is

- Eli

You received this message because you are subscribed to the Google Groups "passlib-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to passlib-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Roland van Laar

Jun 24, 2014, 2:52:25 AM6/24/14
to passli...@googlegroups.com
Thank you, I overlooked the fact that the create_pbkdf2_hash function returns a class.

Thanks as well for the explanation why I shouldn't want to do this.

We actually choose pbkdf2_sha256.
The system we are migrating away from uses the sha1 and
we want to migrate the users as well.


Reply all
Reply to author
0 new messages