| Title | On Security of Key Derivation Functions in Password-based Cryptography |
| Publication Type | Conference Paper |
| Year of Publication | 2021 |
| Authors | Kodwani, Gaurav, Arora, Shashank, Atrey, Pradeep K. |
| Conference Name | 2021 IEEE International Conference on Cyber Security and Resilience (CSR) |
| Keywords | authentication, composability, compositionality, Computer crime, Conferences, Encryption, password, Password-based Cryptography, PBKDF, pubcrawl, resilience, security, theoretical cryptography |
| Abstract | Most common user authentication methods use some form of password or a combination of passwords. However, encryption schemes are generally not directly compatible with user passwords and thus, Password-Based Key Derivation Functions (PBKDFs) are used to convert user passwords into cryptographic keys. In this paper, we analyze the theoretical security of PBKDF2 and present two vulnerabilities, g-collision and d-collision. Using AES-128 as our exemplar, we show that due to g-collision, text encrypted with one user password can be decrypted with g 1 different passwords. We also provide a proof that finding a collision in the derived key for AES-128 requires d lesser calls to PBKDF2 than the known Birthday attack. Due to this, it is possible to break password-based AES-128 in O(264) calls, which is equivalent to brute-forcing DES. |
| DOI | 10.1109/CSR51186.2021.9527961 |
| Citation Key | kodwani_security_2021 |
On Security of Key Derivation Functions in Password-based Cryptography