- Nerdigy
- \
- How It Works: The PBKDF2 Algorithm
How It Works: The PBKDF2 Algorithm
In today’s digital landscape, securing user data is more critical than ever—especially when it comes to passwords. In this post, we’ll dive into the PBKDF2 (Password-Based Key Derivation Function 2) hashing algorithm, a robust method for protecting passwords against brute-force and rainbow table attacks.
🔒 Understanding PBKDF2
📖 Definition and Purpose
PBKDF2, which was introduced in RFC 2898, is a cryptographic algorithm designed to secure passwords by applying a pseudorandom function (often HMAC) to the input password along with a salt, repeating the process many times (iterations) to produce a derived key. This approach significantly increases the computational effort required to perform brute-force attacks, making it a robust choice for password hashing.
🔑 Key Concepts Behind PBKDF2
PBKDF2’s strength lies in its ability to resist various attack vectors by incorporating several key elements:
- Salting: Salting adds a unique random value to each password before hashing, ensuring that even identical passwords result in different hashes. This prevents attackers from using precomputed tables to crack multiple passwords simultaneously.
- Iterations: The algorithm applies the hash function repeatedly (thousands or more times), which slows down the hashing process intentionally. This extra computation, also known as a work factor, makes brute-force attacks more time-consuming and costly.
- Derived Key Length: PBKDF2 allows developers to specify the length of the output hash, enabling flexibility in meeting different security requirements and integrating with various systems.
Together, these elements form the core of PBKDF2, balancing performance and security to protect user credentials effectively.
💻 C# Implementation Example
Here’s a concise example of how to implement PBKDF2 in C# using the KeyDerivation.Pbkdf2 method:
using Microsoft.AspNetCore.Cryptography.KeyDerivation;
using System;
using System.Security.Cryptography;
public class PBKDF2Example
{
// Size in bytes for the salt and hash
private const int SaltSize = 16; // 128-bit salt
private const int HashSize = 16; // 128-bit hash
// Number of iterations – you can increase this for more security (at the cost of performance)
private const int Iterations = 100_000;
// The PsuedoRandomFunction (PRF) to use for the key derivation algorithm
private const KeyDerivationPrf PseudoRandomFunction = KeyDerivationPrf.HMACSHA512;
/// <summary>
/// Returns a hashed representation of the supplied <paramref name="password"/>.
/// </summary>
/// <param name="password">The password to hash.</param>
/// <returns>A hashed representation of the supplied <paramref name="password"/>.</returns>
public static string HashPassword(string password)
{
// Generate a random salt value so two identical passwords will not have the same hash
var salt = RandomNumberGenerator.GetBytes(SaltSize);
// Derive a cryptographic key from the password and salt
var subkey = KeyDerivation.Pbkdf2(password, salt, PseudoRandomFunction, Iterations, HashSize);
var bytes = new byte[13 + salt.Length + subkey.Length];
bytes[0] = 0x01; // format marker
// Write the PRF, iteration count, and salt length to the byte array
BinaryPrimitives.WriteUInt32BigEndian(bytes.AsSpan(1), (uint)PseudoRandomFunction);
BinaryPrimitives.WriteUInt32BigEndian(bytes.AsSpan(5), Iterations);
BinaryPrimitives.WriteUInt32BigEndian(bytes.AsSpan(9), (uint)salt.Length);
// Copy the salt and derived key to the byte array
Buffer.BlockCopy(salt, 0, bytes, 13, salt.Length);
Buffer.BlockCopy(subkey, 0, bytes, 13 + SaltSize, subkey.Length);
// Convert the byte array to a Base64-encoded string for storage
return Convert.ToBase64String(bytes);
}
public static void Main()
{
var password = "MySecurePassword";
var hash = HashPassword(password);
Console.WriteLine($"PBKDF2 hash: {hash}");
}
}The above example does a few things:
- It generates a random salt using
RandomNumberGenerator.GetBytes. - It derives a cryptographic key from the password and salt using the
KeyDerivation.Pbkdf2method. - It combines the salt and derived key along with additional details into a single byte array.
- It converts the byte array to a Base64-encoded string for storage or transmission.
We add a format marker (0x01) at the beginning of the byte array to indicate the structure of the hash. The remaining bytes contain the PseudoRandomFunction (PRF), iteration count, salt length, salt, and derived key. This format alows us to verify the password later by extracting the metadata and recomputing the derived key.
🔐 Verifying the Password
Now that we’ve created a method to hash a password, we can verify a password matches a hash by following these steps:
- Validate the hash format matches the expected structure.
- Extract the salt, work factor (number of iterations), and pseudorandom function from the hash.
- Recompute the derived key using the same parameters.
- Compare the computed key with the stored key using a constant-time comparison method.
Here’s an example of how to verify a password using the PBKDF2 algorithm in C#:
using System;
using System.Buffers.Binary;
using System.Security.Cryptography;
using Microsoft.AspNetCore.Cryptography.KeyDerivation;
public class PBKDF2Example
{
// Previous code omitted for brevity
/// <summary>
/// Returns a flag indicating whether the provided <paramref name="password"/> matches the hashed <paramref name="passwordHash"/>.
/// </summary>
/// <param name="password">The password supplied for comparison.</param>
/// <param name="passwordHash">The hash value for a user's stored password.</param>
/// <returns>True if the password matches the password hash, otherwise false.</returns>
/// <remarks>Implementations of this method should be time consistent.</remarks>
public static bool VerifyPassword(string password, string passwordHash)
{
try
{
// Decode the original hash from Base64
var bytes = Convert.FromBase64String(passwordHash);
// Add logic here to handle different hash formats based on the format marker here
if (bytes[0] != 0x01)
throw new InvalidOperationException("Invalid hash format");
// Read the metadata used to generate the hash
var prf = (KeyDerivationPrf)BinaryPrimitives.ReadUInt32BigEndian(bytes.AsSpan(1));
var iterations = (int)BinaryPrimitives.ReadUInt32BigEndian(bytes.AsSpan(5));
var saltSize = (int)BinaryPrimitives.ReadUInt32BigEndian(bytes.AsSpan(9));
// Read the salt: must be >= 128 bits
if (saltSize < SaltSize)
return false;
var salt = new byte[saltSize];
// Copy the salt from the hash
Buffer.BlockCopy(bytes, 13, salt, 0, salt.Length);
// Read the subkey: must be >= 128 bits
var hashSize = bytes.Length - 13 - salt.Length;
if (hashSize < HashSize)
return false;
var expected = new byte[hashSize];
// Copy the subkey from the hash for comparison
Buffer.BlockCopy(bytes, 13 + salt.Length, expected, 0, expected.Length);
// Compute the derived key using the same parameters
var actual = KeyDerivation.Pbkdf2(password, salt, prf, iterations, hashSize);
// Compare the derived key with the stored key
return CryptographicOperations.FixedTimeEquals(actual, expected);
}
catch
{
// This should never occur except in the case of a malformed payload, where
// we might go off the end of the array. Regardless, a malformed payload
// implies verification failed.
return false;
}
}
}One important aspect to note is the use of CryptographicOperations.FixedTimeEquals to compare the derived key with the stored key. This method ensures that the comparison is time consistent, preventing timing attacks that could reveal information about the hash.
A standard comparison method might exit early when a mismatch is found, potentially leaking information about the matching bytes through timing differences—a vulnerability known as a timing attack. Using a constant-time comparison helps protect against such side-channel attacks by ensuring that the execution time doesn’t reveal any details about the contents of the arrays.
🎯 Conclusion
In this blog post, we’ve taken a look at the PBKDF2 algorithm, focusing on how it securely transforms a password into a cryptographic key and how to implement it in C# using the KeyDerivation.Pbkdf2 method. We explored the key concepts of salting, iterations, and derived key length, walked through a practical example of hashing a password, and detailed how the byte array is constructed and later used to verify a password.
By understanding each step—from generating a unique salt and deriving the key to securely comparing stored and computed values—you now have a solid foundation for implementing robust password security in your applications. Remember, tweaking parameters like the iteration count and key length is crucial to balance security and performance, so always tailor these values to meet your specific needs. The full source code for this example can be found on GitHub
If you’re building a .NET application and considering using Microsoft Identity, you’re probably best served leveraging the built-in PasswordHasher class to simplify password hashing and verification. The above examples are mostly a simplified version of what’s happening under the hood in that class.
For more advanced scenarios and deeper insights, consider reviewing the official ASP.NET Core documentation and other resources on secure password storage. Until next time, stay curious! 🚀