Skip to main content

B.1. Pseudorandom Functions

B.1. Pseudorandom Functions

Examples of pseudorandom function for PBKDF2 (Section 5.2) include HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Applications may employ other schemes as well.

B.1.1. HMAC-SHA-1

HMAC-SHA-1 is the pseudorandom function corresponding to the HMAC message authentication code [RFC2104] based on the SHA-1 hash function [NIST180]. The pseudorandom function is the same function by which the message authentication code is computed, with a full-length output. (The first argument to the pseudorandom function PRF serves as HMAC's "key", and the second serves as HMAC's "text". In the case of PBKDF2, the "key" is thus the password and the "text" is the salt.) HMAC-SHA-1 has a variable key length and a 20-octet (160-bit) output value.

Although the length of the key to HMAC-SHA-1 is essentially unbounded, the effective search space for pseudorandom function outputs may be limited by the structure of the function. In particular, when the key is longer than 512 bits, HMAC-SHA-1 will first hash it to 160 bits. Thus, even if a long derived key consisting of several pseudorandom function outputs is produced from a key, the effective search space for the derived key will be at most 160 bits. Although the specific limitation for other key sizes depends on details of the HMAC construction, one should assume, to be conservative, that the effective search space is limited to 160 bits for other key sizes as well.

(The 160-bit limitation should not generally pose a practical limitation in the case of password-based cryptography, since the search space for a password is unlikely to be greater than 160 bits.)

The object identifier id-hmacWithSHA1 identifies the HMAC-SHA-1 pseudorandom function:

id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}

The parameters field associated with this OID in an AlgorithmIdentifier shall have type NULL. This object identifier is employed in the object set PBKDF2-PRFs (Appendix A.2).

Note: Although HMAC-SHA-1 was designed as a message authentication code, its proof of security is readily modified to accommodate requirements for a pseudorandom function, under stronger assumptions. A hash function may also meet the requirements of a pseudorandom function under certain assumptions. For instance, the direct application of a hash function to the concatenation of the "key" and the "text" may be appropriate, provided that "text" has appropriate structure to prevent certain attacks. HMAC-SHA-1 is preferable, however, because it treats "key" and "text" as separate arguments and does not require "text" to have any structure.

During 2004 and 2005, there were a number of attacks on SHA-1 that reduced its perceived effective strength against collision attacks to 62 bits instead of the expected 80 bits (e.g., Wang et al. [WANG], confirmed by M. Cochran [COCHRAN]). However, since these attacks centered on finding collisions between values, they are not a direct security consideration here because the collision-resistant property is not required by the HMAC authentication scheme.

B.1.2. HMAC-SHA-2

HMAC-SHA-2 refers to the set of pseudorandom functions corresponding to the HMAC message authentication code (now a FIPS standard [NIST198]) based on the new SHA-2 functions (FIPS 180-4 [NIST180]). HMAC-SHA-2 has a variable key length and variable output value depending on the hash function chosen (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256) -- that is, 28, 32, 48, or 64 octets.

Using the new hash functions extends the search space for the produced keys. Where SHA-1 limits the search space to 20 octets, SHA-2 sets new limits of 28, 32, 48, and 64 octets.

Object identifiers for HMAC are defined as follows:

id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8}
id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9}
id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10}
id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11}
id-hmacWithSHA512-224 OBJECT IDENTIFIER ::= {digestAlgorithm 12}
id-hmacWithSHA512-256 OBJECT IDENTIFIER ::= {digestAlgorithm 13}
Last updated on