|
|
- // Copyright 2012 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
- /*
- Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC
- 2898 / PKCS #5 v2.0.
-
- A key derivation function is useful when encrypting data based on a password
- or any other not-fully-random data. It uses a pseudorandom function to derive
- a secure encryption key based on the password.
-
- While v2.0 of the standard defines only one pseudorandom function to use,
- HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved
- Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To
- choose, you can pass the `New` functions from the different SHA packages to
- pbkdf2.Key.
- */
- package pbkdf2 // import "golang.org/x/crypto/pbkdf2"
-
- import (
- "crypto/hmac"
- "hash"
- )
-
- // Key derives a key from the password, salt and iteration count, returning a
- // []byte of length keylen that can be used as cryptographic key. The key is
- // derived based on the method described as PBKDF2 with the HMAC variant using
- // the supplied hash function.
- //
- // For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you
- // can get a derived key for e.g. AES-256 (which needs a 32-byte key) by
- // doing:
- //
- // dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New)
- //
- // Remember to get a good random salt. At least 8 bytes is recommended by the
- // RFC.
- //
- // Using a higher iteration count will increase the cost of an exhaustive
- // search but will also make derivation proportionally slower.
- func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte {
- prf := hmac.New(h, password)
- hashLen := prf.Size()
- numBlocks := (keyLen + hashLen - 1) / hashLen
-
- var buf [4]byte
- dk := make([]byte, 0, numBlocks*hashLen)
- U := make([]byte, hashLen)
- for block := 1; block <= numBlocks; block++ {
- // N.B.: || means concatenation, ^ means XOR
- // for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter
- // U_1 = PRF(password, salt || uint(i))
- prf.Reset()
- prf.Write(salt)
- buf[0] = byte(block >> 24)
- buf[1] = byte(block >> 16)
- buf[2] = byte(block >> 8)
- buf[3] = byte(block)
- prf.Write(buf[:4])
- dk = prf.Sum(dk)
- T := dk[len(dk)-hashLen:]
- copy(U, T)
-
- // U_n = PRF(password, U_(n-1))
- for n := 2; n <= iter; n++ {
- prf.Reset()
- prf.Write(U)
- U = U[:0]
- U = prf.Sum(U)
- for x := range U {
- T[x] ^= U[x]
- }
- }
- }
- return dk[:keyLen]
- }
|