  <div class="section" id="pbkdf-algorithms">
<span id="pbkdf"></span><h1>PBKDF Algorithms<a class="headerlink" href="#pbkdf-algorithms" title="Permalink to this headline">¶</a></h1>
<p>There are various procedures for turning a passphrase into a arbitrary
length key for use with a symmetric cipher. A general interface for
such algorithms is presented in <tt class="docutils literal"><span class="pre">pbkdf.h</span></tt>. The main function is
<tt class="docutils literal"><span class="pre">derive_key</span></tt>, which takes a passphrase, a salt, an iteration count,
and the desired length of the output key, and returns a key of that
length, deterministically produced from the passphrase and salt. If an
algorithm can&#8217;t produce a key of that size, it will throw an exception
(most notably, PKCS #5&#8217;s PBKDF1 can only produce strings between 1 and
$n$ bytes, where $n$ is the output size of the underlying hash
<p>The purpose of the iteration count is to make the algorithm take
longer to compute the final key (reducing the speed of brute-force
attacks of various kinds). Most standards recommend an iteration count
of at least 10000. Currently defined PBKDF algorithms are
&#8220;PBKDF1(digest)&#8221;, &#8220;PBKDF2(digest)&#8221;, and &#8220;OpenPGP-S2K(digest)&#8221;; you can
retrieve any of these using the <tt class="docutils literal"><span class="pre">get_pbkdf</span></tt>, found in
<tt class="docutils literal"><span class="pre">lookup.h</span></tt>. As of this writing, &#8220;PBKDF2(SHA-256)&#8221; with 10000
iterations and a 16 byte salt is recommend for new applications.</p>
<dl class="function">
<dt id="PBKDF::derive_key__s.ssCR.byteCP.s.sC">
OctetString <tt class="descclassname">PBKDF::</tt><tt class="descname">derive_key</tt><big>(</big>size_t <em>output_len</em>, const std::string&amp; <em>passphrase</em>, const byte* <em>salt</em>, size_t <em>salt_len</em>, size_t <em>iterations</em><big>)</big><tt class="descclassname"> const</tt><a class="headerlink" href="#PBKDF::derive_key__s.ssCR.byteCP.s.sC" title="Permalink to this definition">¶</a></dt>
<dd><p>Computes a key from <em>passphrase</em> and the <em>salt</em> (of length
<em>salt_len</em> bytes) using an algorithm-specific interpretation of
<em>iterations</em>, producing a key of length <em>output_len</em>.</p>
<p>Use an iteration count of at least 10000. The salt should be
randomly chosen by a good random number generator (see
<a class="reference internal" href="rng.html#random-number-generators"><em>Random Number Generators</em></a> for how), or at the very least
unique to this usage of the passphrase.</p>
<p>If you call this function again with the same parameters, you will
get the same key.</p>

<div class="highlight-cpp"><div class="highlight"><pre><span class="n">PBKDF</span><span class="o">*</span> <span class="n">pbkdf</span> <span class="o">=</span> <span class="n">get_pbkdf</span><span class="p">(</span><span class="s">&quot;PBKDF2(SHA-256)&quot;</span><span class="p">);</span>
<span class="n">AutoSeeded_RNG</span> <span class="n">rng</span><span class="p">;</span>

<span class="n">SecureVector</span><span class="o">&lt;</span><span class="n">byte</span><span class="o">&gt;</span> <span class="n">salt</span> <span class="o">=</span> <span class="n">rng</span><span class="p">.</span><span class="n">random_vec</span><span class="p">(</span><span class="mi">16</span><span class="p">);</span>
<span class="n">OctetString</span> <span class="n">aes256_key</span> <span class="o">=</span> <span class="n">pbkdf</span><span class="o">-&gt;</span><span class="n">derive_key</span><span class="p">(</span><span class="mi">32</span><span class="p">,</span> <span class="s">&quot;password&quot;</span><span class="p">,</span>
                                           <span class="o">&amp;</span><span class="n">salt</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">salt</span><span class="p">.</span><span class="n">size</span><span class="p">(),</span>
                                           <span class="mi">10000</span><span class="p">);</span>
<div class="section" id="openpgp-s2k">
<h2>OpenPGP S2K<a class="headerlink" href="#openpgp-s2k" title="Permalink to this headline">¶</a></h2>
<p>There are some oddities about OpenPGP&#8217;s S2K algorithms that are
documented here. For one thing, it uses the iteration count in a
strange manner; instead of specifying how many times to iterate the
hash, it tells how many <em>bytes</em> should be hashed in total
(including the salt). So the exact iteration count will depend on the
size of the salt (which is fixed at 8 bytes by the OpenPGP standard,
though the implementation will allow any salt size) and the size of
the passphrase.</p>
<p>To get what OpenPGP calls &#8220;Simple S2K&#8221;, set iterations to 0, and do
not specify a salt. To get &#8220;Salted S2K&#8221;, again leave the iteration
count at 0, but give an 8-byte salt. &#8220;Salted and Iterated S2K&#8221;
requires an 8-byte salt and some iteration count (this should be
significantly larger than the size of the longest passphrase that
might reasonably be used; somewhere from 1024 to 65536 would probably
be about right). Using both a reasonably sized salt and a large
iteration count is highly recommended to prevent password guessing

