One curious note is that NIST recommends PBKDF2 for master key derivation, and specifically write, "The MK [PBKDF2 output] shall not be used for other purposes." Perhaps the document was meant to document just KDFs. Since the hashes are one-way anyway, I don't see it making a difference for use as "password digests."
On Thu, Aug 16, 2012 at 2:15 AM, Jon Callas <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > On Aug 15, 2012, at 4:50 PM, [email protected]: > > > * PGP Signed by an unknown key > > > > Any reason PBKDF2 shouldn't be used for (storing) hashed passwords? > > > > My recommendation is that you should use it. It's even got a NIST > document, now: > > http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf > > To be the most rigorous, use PBKDF2-HMAC-SHA[12]. It doesn't matter a lot > which hash function you're using if you're doing the HMAC version. The > major difference will be the number of iterations. SHA2 is slower than > SHA1, so you'll use fewer iterations. SHA512 is faster on a 64-bit > processor than SHA256, which puts a small wrench in things. > > Use lots of iterations. Calibrate them against real time -- enough for > 100ms or more, for example, rather than a fixed count. If you're worried, > then add more iterations. > > Jon > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Universal 3.2.0 (Build 1672) > Charset: us-ascii > > wj8DBQFQLDuusTedWZOD3gYRAt0+AKC0jAKZS40IDBdYelX19y5pQ6zS5gCgpYhI > dYokIg8zciE7iY5NrXVWkwc= > =pSLW > -----END PGP SIGNATURE----- > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
