From d16def5326b01ca9703df746a780a9a2d8f8fbcf Mon Sep 17 00:00:00 2001 From: Tom Gallacher Date: Fri, 9 Oct 2015 13:58:44 +0100 Subject: [PATCH] doc: Adding best practises for crypto.pbkdf2 Added some information around usages of how to use iterations, how to choose decent salts and updating the example to have a significant work factor and to use sha512. PR-URL: https://github.com/nodejs/node/pull/3290 Reviewed-By: Fedor Indutny Reviewed-By: Shigeki Ohtsu --- doc/api/crypto.markdown | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/api/crypto.markdown b/doc/api/crypto.markdown index 048bc077785c92..60231b17072692 100644 --- a/doc/api/crypto.markdown +++ b/doc/api/crypto.markdown @@ -620,9 +620,16 @@ Asynchronous PBKDF2 function. Applies the selected HMAC digest function salt and number of iterations. The callback gets two arguments: `(err, derivedKey)`. +The number of iterations passed to pbkdf2 should be as high as possible, the +higher the number, the more secure it will be, but will take a longer amount of +time to complete. + +Chosen salts should also be unique. It is recommended that the salts are random +and their length is greater than 16 bytes. See [NIST SP 800-132] for details. + Example: - crypto.pbkdf2('secret', 'salt', 4096, 64, 'sha256', function(err, key) { + crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', function(err, key) { if (err) throw err; console.log(key.toString('hex')); // 'c5e478d...1469e50' @@ -789,6 +796,7 @@ See the reference for other recommendations and details. [RFC 3526]: http://www.rfc-editor.org/rfc/rfc3526.txt [crypto.pbkdf2]: #crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback [EVP_BytesToKey]: https://www.openssl.org/docs/crypto/EVP_BytesToKey.html +[NIST SP 800-132]: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf [NIST SP 800-131A]: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf [initialization vector]: http://en.wikipedia.org/wiki/Initialization_vector [Caveats]: #crypto_caveats