Skip to main content

A.2. PBKDF2

A.2. PBKDF2

The object identifier id-PBKDF2 identifies the PBKDF2 key derivation function (Section 5.2).

id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}

The parameters field associated with this OID in an AlgorithmIdentifier shall have type PBKDF2-params:

PBKDF2-params ::= SEQUENCE {
    salt CHOICE {
        specified OCTET STRING,
        otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
    },
    iterationCount INTEGER (1..MAX),
    keyLength INTEGER (1..MAX) OPTIONAL,
    prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
    algid-hmacWithSHA1 }

The fields of type PBKDF2-params have the following meanings:

  • salt specifies the salt value or the source of the salt value. It shall either be an octet string or an algorithm ID with an OID in the set PBKDF2-SaltSources, which is reserved for future versions of PKCS #5.

    The salt-source approach is intended to indicate how the salt value is to be generated as a function of parameters in the algorithm ID, application data, or both. For instance, it may indicate that the salt value is produced from the encoding of a structure that specifies detailed information about the derived key as suggested in Section 4.1. Some of the information may be carried elsewhere, e.g., in the encryption algorithm ID. However, such facilities are deferred to a future version of PKCS #5.

    In this version, an application may achieve the benefits mentioned in Section 4.1 by choosing a particular interpretation of the salt value in the specified alternative.

    PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }

  • iterationCount specifies the iteration count. The maximum iteration count allowed depends on the implementation. It is expected that implementation profiles may further constrain the bounds.

  • keyLength, an optional field, is the length in octets of the derived key. The maximum key length allowed depends on the implementation; it is expected that implementation profiles may further constrain the bounds. The field is provided for convenience only; the key length is not cryptographically protected. If there is concern about interaction between operations with different key lengths for a given salt (see Section 4.1), the salt should distinguish among the different key lengths.

  • prf identifies the underlying pseudorandom function. It shall be an algorithm ID with an OID in the set PBKDF2-PRFs, which for this version of PKCS #5 shall consist of id-hmacWithSHA1 (see Appendix B.1.1) and any other OIDs defined by the application.

    PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= {
      {NULL IDENTIFIED BY id-hmacWithSHA1},
      {NULL IDENTIFIED BY id-hmacWithSHA224},
      {NULL IDENTIFIED BY id-hmacWithSHA256},
      {NULL IDENTIFIED BY id-hmacWithSHA384},
      {NULL IDENTIFIED BY id-hmacWithSHA512},
      {NULL IDENTIFIED BY id-hmacWithSHA512-224},
      {NULL IDENTIFIED BY id-hmacWithSHA512-256},
      ...
    }

The default pseudorandom function is HMAC-SHA-1:

algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::=
    {algorithm id-hmacWithSHA1, parameters NULL : NULL}
Last updated on