rfc:hash_pbkdf2

This is an old revision of the document!


Request for Comments: Adding hash_pbkdf2 Function

This RFC proposes adding a hash_pbkdf2 function to the hash package

Introduction

The purpose of this RFC is to add the PBKDF2 algorithm to the available hashing functions as a C implementation.

Why do we need PBKDF2?

PBKDF2 is defined in RFC2898 as a method for implementing password base cryptographic needs. These needs can include password storage, password derivation into a key (for encryption) or secure signatures. Additionally, it's NIST Recommended for password storage.

Adding a core implementation of the PBKDF2 algorithm will enable PHP projects to utilize a fast implementation of the algorithm, putting them on a more level ground for attackers. Since the C implementation is more efficient, more rounds can be computed for the same computational cost compared to a PHP land implementation. This enables higher iteration counts to be used, providing more security with less impact to the overall performance of the application.

Projects and Software That Currently Use PBKDF2

  • WPA and WPA2 for key derivation from password
  • OpenDocument encryption (OpenOffice.org)
  • WinZip AES encryption
  • 1Password
  • LastPass
  • Apple iOS
  • Blackberry Backup Encryption
  • Django Python Framework

Proposal and Patch

The proposal is to add a hash_pbkdf2() function to the hash extension in core. The proposed function has a signature:

string hash_pbkdf2(string algo, string password, string salt, int iterations [, int length = 0, bool raw_output = false])

The patch is available as a pull request to trunk.

A Note On 5.4

The current pull request targets trunk, as per process. However, this patch only adds a single addition public API (hash_pbkdf2 as a PHP function). Therefore, it does not violate the rule against API changes in a point release. As such, it would be a candidate for inclusion in 5.4.x, if so desired.

More about PBKDF2

Changelog

  • 0.1 - Initial Version
rfc/hash_pbkdf2.1339639187.txt.gz · Last modified: 2017/09/22 13:28 (external edit)