Module orion::hazardous::pbkdf2 [−][src]
PBKDF2-HMAC-SHA512 (Password-Based Key Derivation Function 2) as specified in the RFC 8018.
Parameters:
password
: Passwordsalt
: Salt valueiterations
: Iteration countdk_out
: Destination buffer for the derived key. The length of the derived key is implied by the length ofdk_out
See RFC for more information.
Exceptions:
An exception will be thrown if:
- The length of
dk_out
is less than 1 - The length of
dk_out
is greater than (2^32 - 1) * hLen - The specified iteration count is less than 1
Security:
Salts should always be generated using a CSPRNG. The gen_rand_key
function
in util
can be used for this. The recommended length for a salt is 16 bytes as a minimum.
The iteration count should be set as high as feasible.
Example:
Generating derived key:
use orion::hazardous::pbkdf2; use orion::utilities::util; let mut salt = [0u8; 16]; util::gen_rand_key(&mut salt); let mut dk_out = [0u8; 64]; pbkdf2::derive_key("Secret password".as_bytes(), &salt, 10000, &mut dk_out).unwrap();
Verifying derived key:
use orion::hazardous::pbkdf2; use orion::utilities::util; let mut salt = [0u8; 16]; util::gen_rand_key(&mut salt); let mut dk_out = [0u8; 64]; pbkdf2::derive_key("Secret password".as_bytes(), &salt, 10000, &mut dk_out).unwrap(); let exp_dk = dk_out; assert!(pbkdf2::verify(&exp_dk, "Secret password".as_bytes(), &salt, 10000, &mut dk_out).unwrap());
Functions
derive_key |
PBKDF2-SHA512 (Password-Based Key Derivation Function 2) as specified in the RFC 8018. |
verify |
Verify PBKDF2-HMAC-SHA512 derived key in constant time. |