PBKDF2 with PowerShell[Hashing Home][Home]
PBKDF2 (Password-Based Key Derivation Function 2) is defined in RFC 2898 and generates a salted hash. Often this is used to create an encryption key from a defined password, and where it is not possible to reverse the password from the hashed value. It is used in TrueCrypt to generate the key required to read the header information of the encrypted drive, and which stores the encryption keys. Also, it is used in WPA-2 in order to create a hashed version of the password. With this, WPA-2 uses 4,096 interations.
|
Output
PBKDF2 is used in WPA-2 and TrueCrypt. Its main focus is to produced a hashed version of a password, and includes a salt to reduce the opportunity for a rainbow table attack. It generally uses over 1,000 iterations in order to slow down the creation of the hash, so that it can overcome brute force attacks. The generalise format for PBKDF2 is:
DK = PBKDF2(Password, Salt, Miterations, dkLen)
Where Password is the pass phrase, Salt is the salt, Miterations is the number of iterations, and dklen is the length of the derived hash.
WPA-2
The IEEE 802.11i standard defines that the pre-shared key is defined by:
PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)
Presentation
Explanation
In TrueCrypt we use PBKDF2 to generate the key (with salt) and which will decrypt the header, and reveal the keys which have been used to encrypt the disk (using AES, 3DES or Twofish):
We use:
byte[] result = passwordDerive.GenerateDerivedKey(16, ASCIIEncoding.UTF8.GetBytes(message), salt, 1000);
which has a key length of 16 bytes (128 bits - dklen), uses a salt byte array, and 1000 iterations of the hash (Miterations). You should find that the resulting hash value will have 32 hexadecimal characters (16 bytes).
Coding
The following is the coding:
$password = $Args[0] $salt = $Args[1] $iterations = [int]$Args[2] $hash = $Args[3] $size=$Args[4] $saltBytes = [Text.Encoding]::UTF8.GetBytes($salt) $keyder=[Security.Cryptography.Rfc2898DeriveBytes]::Pbkdf2($password,$saltBytes,$iterations,$hash,$size) "Password: "+$password "Salt: "+$salt "Iterations: "+$iterations "Hash method: "+$hash "Size: "+$size "`nKey derivation (Hex): "+[System.Convert]::ToHexString($keyder) "Key derivation (Hex): "+[System.Convert]::ToBase64String($keyder)
A sample run shows:
Password: qwerty Salt: test123 Iterations: 1500 Hash method: SHA384 Size: 32 Key derivation (Hex): 7A1DE374983CB727A2E37AB8324FA5FA2FA6A90DE30841F16919159119E4F292 Key derivation (Hex): eh3jdJg8tyei43q4Mk+l+i+mqQ3jCEHxaRkVkRnk8pI=