创建数字钱包(零)KDF 密钥派生算法
KDF 的定义
实现 key stretching [^1] 的方法,具体就是从一个 master key,password 或者 passphrase 派生出一个或者多个密钥,派生的过程,使用PRF(Pseudo Random Function 伪随机函数)可以是某种哈希算法。
[Key stretching]
密钥延长算法(一种更慢的哈希算法),用于将初始密钥转换成增强密钥,在计算过程中刻意延长时间或者消耗空间,这样有利于保护弱密码。
两种密钥派生算法
PBKDF2 (CPU-Hard algorithm)
PBKDF2是基于密码派生出密钥的算法,需要消耗很多算力,为了是防止暴力破解加密。
Scrypt (Memory-Hard algorithm)
Scrypt 也是一种 password-base KDF 算法,比起 PBKDF2 需要消耗更多的资源,从而有效防止了专有硬件 ASIC/ FPGA 的暴力破解。Scrypt 内部用的还是 PBKDF2 算法,不过内部会长时间地维护一组比特数据,这些数据会在生成复杂的 salt 的过程中反复加密(Salsa20,一种流密码^3)得到。网上流行说,以太坊的PoW共识算法是利用Scrypt实现的,但事实上,以太坊自己实现了一套哈希算法,叫做Ethash^2.
区别
一言以蔽之,PBKDF2是算力型,而Scrypt是资源消耗型的。
Both PBKDF2 and scrypt are key derivation functions (KDFs) that implement key stretching by being deliberately slow to compute and, in particular, by having an adjustable parameter to control the slowness.
The difference is that scrypt is also designed to require a large (and adjustable) amount of memory to compute efficiently. The purpose of this is to make cracking it harder to parallelize using devices like GPGPUs or custom ASIC / FPGA hardware. Such devices may have hundreds or even thousands of parallel processing units, each capable of hashing a different password using traditional KDFs like PBKDF2, which don’t require much memory. However, it turns out that, at least using current technology, providing each of these parallel units with large amounts of memory space is a lot more difficult and expensive than making the units themselves.
密钥派生原理
PBKDF2 运行的原理
1 | passphrase -> [dklen, salt, c] > 1000] -> hash |
其中:
- PRF(Pseudorandom function):伪随机数产生的密钥,如:hmac-sha256
- dklen:派生所产生的密钥的长度
- salt(盐值):是一串随机生成的比特,加载密钥的固定位置做哈希后,可以防止彩虹表攻击导致的密码泄露
- c:迭代的次数
- DK:期望的密钥 derived key
例子:WPA2 (WiFi Protected Access)
1 | DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256) |
术语
Password
密码就是用于证明身份,获取和身份相称的访问权限。
Passphase
用于用户认证或者加密程序的操作步骤,特别是KDF算法就是从passphrase中派生出来的。
[^1]: Key stretching