How PBKDF2 using HMAC SHA-1 returns more than 20 bytes?

Question

How PBKDF2 using HMAC SHA-1 returns more than 20 bytes?

If Node crypto.PBKDF2 uses HMAC SHA-1, how can the key be longer than 20 bytes?

Here is what I understand (obviously wrong): crypto.PBKDF2(password, salt, iterations, keylen, callback) uses HMAC SHA-1 to hash the password with salt. Then he takes this hash and hashes it with the same salt. He repeats that for how many iterations you talk about it, and then it passes the result. The result is truncated to the number of bytes you specify in keylen .

SHA-1 outputs 160 bits or 20 bytes. However, I can request keylen more than 20 bytes from crypto.PBKDF2 , and after the 20th byte the data is not repeated. That doesn't make sense to me.

What i don't understand here?

Try:

 c.pbkdf2('password', 'salt', 1, 21, function(err, key) { for (var i = 0; i < key.length; i++) { console.log(key[i].toString(36)); } });

I would expect to see some kind of pattern after the 20th byte, but I do not.

+4

cryptography hmac sha1 pbkdf2

Mike M. lin Jan 18 '13 at 8:13

source share

1 answer

CodesInChaos · Accepted Answer · 2013-01-18T08:22:29+0000

To get the ith block, PBKDF2 performs a complete key output, and i combines with the salt. Thus, to get your 21st byte, it starts outputting again using a different effective salt, resulting in a completely different output. This means that getting 21 bytes is two times more expensive than getting 20 bytes.

I recommend not using PBKDF2 to get larger than the natural size / size of the outgoing main hash. Often this only slows down the defender, not the attacker.

I would prefer to run PBKDF2 once to get one master key, and then use HKDF to get some secrets. See How to connect PBKDF2, generating both the AES key and the HMAC key for encryption, then the MAC? on crypto.SE

How PBKDF2 using HMAC SHA-1 returns more than 20 bytes?

More articles: