Reputation: 88
Is this PHP implementation of pbkdf2 hashing for password generation considered safe?
I am looking at implementing key generation from a password using PBKDF2. Since PHP 5.5, there is the function http://www.php.net/manual/en/function.hash-pbkdf2.php, but my server is running on PHP 5.3. After a quick search on the web, I found this custom implementation in PHP: https://gist.github.com/rsky/5104756 My question to someone more experienced in the field is if it is considered safe?
Upvotes: 0
Views: 111
Answers (1)
Reputation: 94058
If it compiles to correct test vectors then I would not worry overmuch on security for key derivation functions.
You may have to worry about side channel attacks if you are on a machine that also provides access to other users. In that case you probably have to worry about side channel attacks on the hash algorithm; normally it's tricky to perform time based attacks on symmetric algorithms on a fast CPU though (unprotected RSA is much easier).
It is important that salt values are large enough and do not repeat, so check the secure random number implementation on the system.
Note that there are multiple levels of "safe". Without exact details of the system, use case, thread models etc. nobody could or should give you more than a generic answer.
Upvotes: 1
Related Questions
- PHP - hash_pbkdf2 function
- How secure is this method of password hashing and matching?
- PHP: is this password encryption secure?
- Determining if my password hashing method is safe
- is this code valid for password hashing?
- Is this a good hashing password function in PHP? If not, why not?
- basic php pbkdf2 hashing
- Using this custom hashing function, is there any obvious security flaws I am missing?
- Is this password storage method secure?
- Is my authentication encryption any good?