PBKDF2WithHmacSHA512 Vs. PBKDF2WithHmacSHA1

DTs picture DTs · Oct 13, 2013 · Viewed 36.6k times · Source

I'm working on a Java authentication subsystem that specs the storage of passwords in the DB as PBKDF2-generated hashes, and I'm now trying to decide whether I should use SHA1 or SHA512 as PRF. I went through the specs of both but they are very mathematically intensive for me to follow. Can somebody with better crypto-understanding explain how PBKDF2WithHmacSHA512 differs from PBKDF2WithHmacSHA1?

Here's what I'm trying to do:

private static final int HASH_BYTE_SIZE = 64 * 8; // 512 bits
private static final int PBKDF2_ITERATIONS = 1000;      

// generate random salt
SecureRandom random = new SecureRandom();
byte salt[] = new byte[SALT_BYTE_SIZE]; // use salt size at least as long as hash
random.nextBytes(salt);

// generate Hash
PBEKeySpec spec = new PBEKeySpec(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); // we would like this to be "PBKDF2WithHmacSHA512" instead? What Provider implements it?
byte[] hash = skf.generateSecret(spec).getEncoded();

// convert hash and salt to hex and store in DB as CHAR(64)...

Answer

user2339071 picture user2339071 · Oct 13, 2013

Let us breakdown the word piece by piece:

PBKDF2--WithHmac--SHA512

Let's go over it part by part

  • PBKDF2

    Stands for Password-based-Key-Derivative-Function, a successor of PBKDF1 and is used to implement a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process many times to produce a derived key, which can then be used as a cryptographic key in subsequent operations.

  • HMAC

    Stands for Keyed-Hash Message Authentication Code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. Any cryptographic hash function,may be used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly.

  • SHA512

    Well, you know about it.. :P

Now, coming back to your question, the line of code:

SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");

specifies the keyFactory to use the algorithm PDBKDF2WithHmacSHA1. When you would do something like:

SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");

you tell the factory to use algorithm PBDKF2WithHmacSHA512.

Essentialy the main difference between PBKDF2WithHmacSHA1 and PBKDF2WithHmacSHA512 is that:

  1. The PBKDF2WithHmacSHA1 will produce a hash length of 160 bits.
  2. The PBKDF2WithHmacSHA512 will produce a hash length of 512 bits.

Hence the latter is more secure. But there are arguments on both sides as to which is sufficient for encryption. No debate. Just saying.

Some additional information about the two algorithms:

  1. HMACSHA1

    HMACSHA1 is a type of keyed hash algorithm that is constructed from the SHA1 hash function and used as an HMAC, or hash-based message authentication code. The HMAC process mixes a secret key with the message data, hashes the result with the hash function, mixes that hash value with the secret key again, and then applies the hash function a second time. The output hash is 160 bits in length.

  2. HMACSHA512

    HMACSHA512 is a type of keyed hash algorithm that is constructed from the SHA-512 hash function and used as a Hash-based Message Authentication Code (HMAC). The HMAC process mixes a secret key with the message data and hashes the result. The hash value is mixed with the secret key again, and then hashed a second time. The output hash is 512 bits in length.

The main advantage is that HmacWith512 is more secure than HmacWith256. For e.g.

HMAC_SHA1("key","The quick brown fox jumps over the lazy dog") = 0xde7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

HMAC_SHA512("key","The quick brown fox jumps over the lazy dog") = 0xb42af09057bac1e2d41708e48a902e09b5ff7f12ab428a4fe86653c73dd248fb82f948a549f7b791a5b41915ee4d1ec3935357e4e2317250d0372afa2ebeeb3a

The difference is pretty huge (as seen). Hope it helps. :)

EDIT: As OP mentions

PBEKeySpec(char[] password, byte[] salt, int iterationCount, int keyLength)

The parameter keyLength is used to indicate the preference on key length for variable-key-size ciphers. The actual key size depends on each provider's implementation. Hence say, doing something like

PBEKeySpec(password, salt, int 100, 512) doesn't mean you will be using SHA1 to generate a keyLength of 512. It simply means that. SHA1 supports upto a maximum of 160 bits. You cannot exceed that.

As for your second question, have a look at the HMAC-SHA1. There are many statements that say algorithms like SHA256 is pretty good if you a long hash.

Also, as per the NSA :

The NSA specifies that "Elliptic Curve Public Key Cryptography using the 256-bit prime modulus elliptic curve as specified in FIPS-186-2 and SHA-256 are appropriate for protecting classified information up to the SECRET level. Use of the 384-bit prime modulus elliptic curve and SHA-384 are necessary for the protection of TOP SECRET information.

I think using a HMAC function in conjunction SHA512 is quite secure.