There are test vectors for PBKDF2-HMAC-SHA1 in RFC6070. There are test vectors for HMAC-SHA2 in RFC4231.
But so far I haven't found test vectors for PBKDF2-HMAC-SHA2 anywhere.
I'm most interested in SHA256, so I'll post some vectors I calculated with my implementation. I'd be happy if someone could verify/confirm them, or contribute their own.
The PBKDF2-HMAC-SHA256 Password Storage Scheme provides a mechanism for encoding user passwords using the PBKDF2-HMAC-SHA256 message digest algorithm. This scheme contains an implementation for the user password syntax, with a storage scheme name of "PBKDF2-HMAC-SHA256".
PBKDF2 is a widely used method to derive a key of given length based on a given password, salt and number of iterations. In this case it specifically uses HMAC with the SHA-1 hash function, which is the default as per RFC2898.
But PBKDF2-HMAC-SHA1 is fine. Also standard HMAC use has not been compromised, but again, longer hashes are in principle more secure in that scenario.
PBKDF2 (Password Based Key Derivation Function 2) is typically used for deriving a cryptographic key from a password. It may also be used for key storage, but an alternate key storage KDF such as Scrypt is generally considered a better solution.
I implemented PBKDF2 using the standard hashlib and hmac modules in Python and checked the output against both the RFC 6070 vectors and the vectors you posted – it matches.
Here are the vectors I get with a larger dkLen
to match the larger digest output size. This is the output of pbkdf2-test-vectors.py sha256
, which takes about 10 minutes to run.
PBKDF2 HMAC-SHA256 Test Vectors Input: P = "password" (8 octets) S = "salt" (4 octets) c = 1 dkLen = 32 Output: DK = 12 0f b6 cf fc f8 b3 2c 43 e7 22 52 56 c4 f8 37 a8 65 48 c9 2c cc 35 48 08 05 98 7c b7 0b e1 7b (32 octets) Input: P = "password" (8 octets) S = "salt" (4 octets) c = 2 dkLen = 32 Output: DK = ae 4d 0c 95 af 6b 46 d3 2d 0a df f9 28 f0 6d d0 2a 30 3f 8e f3 c2 51 df d6 e2 d8 5a 95 47 4c 43 (32 octets) Input: P = "password" (8 octets) S = "salt" (4 octets) c = 4096 dkLen = 32 Output: DK = c5 e4 78 d5 92 88 c8 41 aa 53 0d b6 84 5c 4c 8d 96 28 93 a0 01 ce 4e 11 a4 96 38 73 aa 98 13 4a (32 octets) Input: P = "password" (8 octets) S = "salt" (4 octets) c = 16777216 dkLen = 32 Output: DK = cf 81 c6 6f e8 cf c0 4d 1f 31 ec b6 5d ab 40 89 f7 f1 79 e8 9b 3b 0b cb 17 ad 10 e3 ac 6e ba 46 (32 octets) Input: P = "passwordPASSWORDpassword" (24 octets) S = "saltSALTsaltSALTsaltSALTsaltSALTsalt" (36 octets) c = 4096 dkLen = 40 Output: DK = 34 8c 89 db cb d3 2b 2f 32 d8 14 b8 11 6e 84 cf 2b 17 34 7e bc 18 00 18 1c 4e 2a 1f b8 dd 53 e1 c6 35 51 8c 7d ac 47 e9 (40 octets) Input: P = "pass\0word" (9 octets) S = "sa\0lt" (5 octets) c = 4096 dkLen = 16 Output: DK = 89 b6 9d 05 16 f8 29 89 3c 69 62 26 65 0a 86 87 (16 octets)
Test vectors for PBKDF2-HMAC-SHA256:
Input values were taken from RFC6070; c is the number of rounds.
Input: P = "password" (8 octets) S = "salt" (4 octets) c = 1 dkLen = 20 Output: DK = 12 0f b6 cf fc f8 b3 2c 43 e7 22 52 56 c4 f8 37 a8 65 48 c9 Input: P = "password" (8 octets) S = "salt" (4 octets) c = 2 dkLen = 20 Output: DK = ae 4d 0c 95 af 6b 46 d3 2d 0a df f9 28 f0 6d d0 2a 30 3f 8e Input: P = "password" (8 octets) S = "salt" (4 octets) c = 4096 dkLen = 20 Output: DK = c5 e4 78 d5 92 88 c8 41 aa 53 0d b6 84 5c 4c 8d 96 28 93 a0 Input: P = "password" (8 octets) S = "salt" (4 octets) c = 16777216 dkLen = 20 Output: DK = cf 81 c6 6f e8 cf c0 4d 1f 31 ec b6 5d ab 40 89 f7 f1 79 e8 Input: P = "passwordPASSWORDpassword" (24 octets) S = "saltSALTsaltSALTsaltSALTsaltSALTsalt" (36 octets) c = 4096 dkLen = 25 Output: DK = 34 8c 89 db cb d3 2b 2f 32 d8 14 b8 11 6e 84 cf 2b 17 34 7e bc 18 00 18 1c Input: P = "pass\0word" (9 octets) S = "sa\0lt" (5 octets) c = 4096 dkLen = 16 Output: DK = 89 b6 9d 05 16 f8 29 89 3c 69 62 26 65 0a 86 87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With