| // Copyright 2012 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| /* |
| Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC |
| 2898 / PKCS #5 v2.0. |
| |
| A key derivation function is useful when encrypting data based on a password |
| or any other not-fully-random data. It uses a pseudorandom function to derive |
| a secure encryption key based on the password. |
| |
| While v2.0 of the standard defines only one pseudorandom function to use, |
| HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved |
| Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To |
| choose, you can pass the `New` functions from the different SHA packages to |
| pbkdf2.Key. |
| */ |
| package pbkdf2 |
| |
| import ( |
| "crypto/hmac" |
| "hash" |
| ) |
| |
| // Key derives a key from the password, salt and iteration count, returning a |
| // []byte of length keylen that can be used as cryptographic key. The key is |
| // derived based on the method described as PBKDF2 with the HMAC variant using |
| // the supplied hash function. |
| // |
| // For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you |
| // can get a derived key for e.g. AES-256 (which needs a 32-byte key) by |
| // doing: |
| // |
| // dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New) |
| // |
| // Remember to get a good random salt. At least 8 bytes is recommended by the |
| // RFC. |
| // |
| // Using a higher iteration count will increase the cost of an exhaustive |
| // search but will also make derivation proportionally slower. |
| func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { |
| prf := hmac.New(h, password) |
| hashLen := prf.Size() |
| numBlocks := (keyLen + hashLen - 1) / hashLen |
| |
| var buf [4]byte |
| dk := make([]byte, 0, numBlocks*hashLen) |
| U := make([]byte, hashLen) |
| for block := 1; block <= numBlocks; block++ { |
| // N.B.: || means concatenation, ^ means XOR |
| // for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter |
| // U_1 = PRF(password, salt || uint(i)) |
| prf.Reset() |
| prf.Write(salt) |
| buf[0] = byte(block >> 24) |
| buf[1] = byte(block >> 16) |
| buf[2] = byte(block >> 8) |
| buf[3] = byte(block) |
| prf.Write(buf[:4]) |
| dk = prf.Sum(dk) |
| T := dk[len(dk)-hashLen:] |
| copy(U, T) |
| |
| // U_n = PRF(password, U_(n-1)) |
| for n := 2; n <= iter; n++ { |
| prf.Reset() |
| prf.Write(U) |
| U = U[:0] |
| U = prf.Sum(U) |
| for x := range U { |
| T[x] ^= U[x] |
| } |
| } |
| } |
| return dk[:keyLen] |
| } |