| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  | # | 
					
						
							|  |  |  | #  KDF.py : a collection of Key Derivation Functions | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # Part of the Python Cryptography Toolkit | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # =================================================================== | 
					
						
							|  |  |  | # The contents of this file are dedicated to the public domain.  To | 
					
						
							|  |  |  | # the extent that dedication to the public domain is not available, | 
					
						
							|  |  |  | # everyone is granted a worldwide, perpetual, royalty-free, | 
					
						
							|  |  |  | # non-exclusive license to exercise all rights associated with the | 
					
						
							|  |  |  | # contents of this file for any purpose whatsoever. | 
					
						
							|  |  |  | # No rights are reserved. | 
					
						
							|  |  |  | # | 
					
						
							|  |  |  | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | 
					
						
							|  |  |  | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | 
					
						
							|  |  |  | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | 
					
						
							|  |  |  | # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS | 
					
						
							|  |  |  | # BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN | 
					
						
							|  |  |  | # ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN | 
					
						
							|  |  |  | # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | 
					
						
							|  |  |  | # SOFTWARE. | 
					
						
							|  |  |  | # =================================================================== | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | """This file contains a collection of standard key derivation functions.
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | A key derivation function derives one or more secondary secret keys from | 
					
						
							|  |  |  | one primary secret (a master key or a pass phrase). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | This is typically done to insulate the secondary keys from each other, | 
					
						
							|  |  |  | to avoid that leakage of a secondary key compromises the security of the | 
					
						
							|  |  |  | master key, or to thwart attacks on pass phrases (e.g. via rainbow tables). | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | :undocumented: __revision__ | 
					
						
							|  |  |  | """
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | __revision__ = "$Id$" | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import math | 
					
						
							|  |  |  | import struct | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2011-10-18 23:20:26 +02:00
										 |  |  | from Crypto.Util.py3compat import * | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  | from Crypto.Hash import SHA as SHA1, HMAC | 
					
						
							|  |  |  | from Crypto.Util.strxor import strxor | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-04-19 22:40:39 +02:00
										 |  |  | def PBKDF1(password, salt, dkLen, count=1000, hashAlgo=None): | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  |     """Derive one key from a password (or passphrase).
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     This function performs key derivation according an old version of | 
					
						
							|  |  |  |     the PKCS#5 standard (v1.5). | 
					
						
							|  |  |  |      | 
					
						
							|  |  |  |     This algorithm is called ``PBKDF1``. Even though it is still described | 
					
						
							|  |  |  |     in the latest version of the PKCS#5 standard (version 2, or RFC2898), | 
					
						
							|  |  |  |     newer applications should use the more secure and versatile `PBKDF2` instead. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     :Parameters: | 
					
						
							|  |  |  |      password : string | 
					
						
							|  |  |  |         The secret password or pass phrase to generate the key from. | 
					
						
							| 
									
										
										
										
											2011-10-18 23:20:26 +02:00
										 |  |  |      salt : byte string | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  |         An 8 byte string to use for better protection from dictionary attacks. | 
					
						
							|  |  |  |         This value does not need to be kept secret, but it should be randomly | 
					
						
							|  |  |  |         chosen for each derivation. | 
					
						
							|  |  |  |      dkLen : integer | 
					
						
							|  |  |  |         The length of the desired key. Default is 16 bytes, suitable for instance for `Crypto.Cipher.AES`. | 
					
						
							|  |  |  |      count : integer | 
					
						
							|  |  |  |         The number of iterations to carry out. It's recommended to use at least 1000. | 
					
						
							|  |  |  |      hashAlgo : module | 
					
						
							|  |  |  |         The hash algorithm to use, as a module or an object from the `Crypto.Hash` package. | 
					
						
							|  |  |  |         The digest length must be no shorter than ``dkLen``. | 
					
						
							| 
									
										
										
										
											2012-04-19 22:40:39 +02:00
										 |  |  |         The default algorithm is `SHA1`. | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  | 
 | 
					
						
							|  |  |  |     :Return: A byte string of length `dkLen` that can be used as key. | 
					
						
							| 
									
										
										
										
											2012-04-19 22:40:39 +02:00
										 |  |  |     """
 | 
					
						
							|  |  |  |     if not hashAlgo: | 
					
						
							|  |  |  |         hashAlgo = SHA1 | 
					
						
							| 
									
										
										
										
											2011-10-18 23:20:26 +02:00
										 |  |  |     password = tobytes(password) | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  |     pHash = hashAlgo.new(password+salt) | 
					
						
							|  |  |  |     digest = pHash.digest_size | 
					
						
							|  |  |  |     if dkLen>digest: | 
					
						
							| 
									
										
										
										
											2012-01-17 23:23:17 +01:00
										 |  |  |         raise ValueError("Selected hash algorithm has a too short digest (%d bytes)." % digest) | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  |     if len(salt)!=8: | 
					
						
							|  |  |  |         raise ValueError("Salt is not 8 bytes long.") | 
					
						
							|  |  |  |     for i in xrange(count-1): | 
					
						
							|  |  |  |         pHash = pHash.new(pHash.digest()) | 
					
						
							|  |  |  |     return pHash.digest()[:dkLen] | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | def PBKDF2(password, salt, dkLen=16, count=1000, prf=None): | 
					
						
							|  |  |  |     """Derive one or more keys from a password (or passphrase).
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     This performs key derivation according to the PKCS#5 standard (v2.0), | 
					
						
							|  |  |  |     by means of the ``PBKDF2`` algorithm. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     :Parameters: | 
					
						
							|  |  |  |      password : string | 
					
						
							|  |  |  |         The secret password or pass phrase to generate the key from. | 
					
						
							|  |  |  |      salt : string | 
					
						
							|  |  |  |         A string to use for better protection from dictionary attacks. | 
					
						
							|  |  |  |         This value does not need to be kept secret, but it should be randomly | 
					
						
							|  |  |  |         chosen for each derivation. It is recommended to be at least 8 bytes long. | 
					
						
							|  |  |  |      dkLen : integer | 
					
						
							|  |  |  |         The cumulative length of the desired keys. Default is 16 bytes, suitable for instance for `Crypto.Cipher.AES`. | 
					
						
							|  |  |  |      count : integer | 
					
						
							|  |  |  |         The number of iterations to carry out. It's recommended to use at least 1000. | 
					
						
							|  |  |  |      prf : callable | 
					
						
							|  |  |  |         A pseudorandom function. It must be a function that returns a pseudorandom string | 
					
						
							|  |  |  |         from two parameters: a secret and a salt. If not specified, HMAC-SHA1 is used. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     :Return: A byte string of length `dkLen` that can be used as key material. | 
					
						
							|  |  |  |         If you wanted multiple keys, just break up this string into segments of the desired length. | 
					
						
							|  |  |  | """
 | 
					
						
							| 
									
										
										
										
											2011-10-18 23:20:26 +02:00
										 |  |  |     password = tobytes(password) | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  |     if prf is None: | 
					
						
							|  |  |  |         prf = lambda p,s: HMAC.new(p,s,SHA1).digest() | 
					
						
							| 
									
										
										
										
											2011-10-18 23:20:26 +02:00
										 |  |  |     key = b('') | 
					
						
							| 
									
										
										
										
											2011-09-22 20:51:46 +02:00
										 |  |  |     i = 1 | 
					
						
							|  |  |  |     while len(key)<dkLen: | 
					
						
							|  |  |  |         U = previousU = prf(password,salt+struct.pack(">I", i)) | 
					
						
							|  |  |  |         for j in xrange(count-1): | 
					
						
							|  |  |  |             previousU = t = prf(password,previousU) | 
					
						
							|  |  |  |             U = strxor(U,t) | 
					
						
							|  |  |  |         key += U | 
					
						
							|  |  |  |         i = i + 1 | 
					
						
							|  |  |  |     return key[:dkLen] | 
					
						
							|  |  |  | 
 |