This is a “Hazardous Materials” module. You should
ONLY
use it if you’re
100% absolutely sure that you know what you’re doing because this module is
full of land mines, dragons, and dinosaurs with laser guns.
Key derivation functions derive bytes suitable for cryptographic operations
from passwords or other data sources using a pseudo-random function (PRF).
Different KDFs are suitable for different tasks such as:
Cryptographic key derivation
Deriving a key suitable for use as input to an encryption algorithm.
Typically this means taking a password and running it through an algorithm
such as
PBKDF2HMAC
or
HKDF
.
This process is typically known as
key stretching
.
Password storage
When storing passwords you want to use an algorithm that is computationally
intensive. Legitimate users will only need to compute it once (for example,
taking the user’s password, running it through the KDF, then comparing it
to the stored value), while attackers will need to do it billions of times.
Ideal password storage KDFs will be demanding on both computational and
memory resources.
class
cryptography.hazmat.primitives.kdf.pbkdf2.
PBKDF2HMAC
(
algorithm
,
length
,
salt
,
iterations
)
[source]
Added in version 0.2.
PBKDF2
(Password Based Key Derivation Function 2) is typically used for
deriving a cryptographic key from a password. It may also be used for
key storage, but an alternate key storage KDF such as
Scrypt
is generally
considered a better solution.
length
(
int
) – The desired length of the derived key in bytes. Maximum
is (2
32
- 1) *
algorithm.digest_size
.
salt
(
bytes
) – A salt. Secure values
[
1
]
are 128-bits (16 bytes)
or longer and randomly generated.
iterations
(
int
) – The number of iterations to perform of the hash
function. This can be used to control the length of time the operation
takes. Higher numbers help mitigate brute force attacks against derived
keys. A
more detailed description
can be consulted for additional
information.
Raises
:
TypeError
– This exception is raised if
salt
is not
bytes
.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match. This can be used for
checking whether the password a user provides matches the stored derived
key.
class
cryptography.hazmat.primitives.kdf.scrypt.
Scrypt
(
salt
,
length
,
n
,
r
,
p
)
[source]
Added in version 1.6.
Scrypt is a KDF designed for password storage by Colin Percival to be
resistant against hardware-assisted attackers by having a tunable memory
cost. It is described in
RFC 7914
.
The computational and memory cost of Scrypt can be adjusted by manipulating
the 3 parameters:
n
,
r
, and
p
. In general, the memory cost of
Scrypt is affected by the values of both
n
and
r
, while
n
also
determines the number of iterations performed.
p
increases the
computational cost without affecting memory usage. A more in-depth
explanation of the 3 parameters can be found
here
.
RFC 7914
recommends
values of
r=8
and
p=1
while scaling
n
to a number appropriate for your system.
The scrypt paper
suggests a
minimum value of
n=2**14
for interactive logins (t < 100ms), or
n=2**20
for more sensitive files (t < 5s).
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match. This can be used for
checking whether the password a user provides matches the stored derived
key.
ConcatKDFHash (Concatenation Key Derivation Function) is defined by the
NIST Special Publication
NIST SP 800-56Ar3
document, to be used to
derive keys for use after a Key Exchange negotiation operation.
Warning
ConcatKDFHash should not be used for password storage.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match.
class
cryptography.hazmat.primitives.kdf.concatkdf.
ConcatKDFHMAC
(
algorithm
,
length
,
salt
,
otherinfo
)
[source]
Added in version 1.0.
Similar to ConcatKFDHash but uses an HMAC function instead.
Warning
ConcatKDFHMAC should not be used for password storage.
length
(
int
) – The desired length of the derived key in bytes. Maximum
is
hashlen*(2^32-1)
.
salt
(
bytes
) – A salt. Randomizes the KDF’s output. Optional, but
highly recommended. Ideally as many bits of entropy as the security
level of the hash: often that means cryptographically random and as
long as the hash output. Does not have to be secret, but may cause
stronger security guarantees if secret; If
None
is explicitly
passed a default salt of
algorithm.block_size
null bytes will be
used.
otherinfo
(
bytes
) – Application specific context information.
If
None
is explicitly passed an empty byte string will be used.
Raises
:
TypeError
– This exception is raised if
salt
or
otherinfo
is not
bytes
.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match.
length
(
int
) – The desired length of the derived key in bytes. Maximum
is
255*(algorithm.digest_size//8)
.
salt
(
bytes
) – A salt. Randomizes the KDF’s output. Optional, but
highly recommended. Ideally as many bits of entropy as the security
level of the hash: often that means cryptographically random and as
long as the hash output. Worse (shorter, less entropy) salt values can
still meaningfully contribute to security. May be reused. Does not have
to be secret, but may cause stronger security guarantees if secret; see
RFC 5869
and the
HKDF paper
for more details. If
None
is
explicitly passed a default salt of
algorithm.digest_size//8
null
bytes will be used. See
understanding HKDF
for additional detail about
the salt and info parameters.
info
(
bytes
) – Application specific context information. If
None
is explicitly passed an empty byte string will be used.
Raises
:
TypeError
– This exception is raised if
salt
or
info
is not
bytes
.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match.
class
cryptography.hazmat.primitives.kdf.hkdf.
HKDFExpand
(
algorithm
,
length
,
info
)
[source]
Added in version 0.5.
HKDF consists of two stages, extract and expand. This class exposes an
expand only version of HKDF that is suitable when the key material is
already cryptographically strong.
Warning
HKDFExpand should only be used if the key material is
cryptographically strong. You should use
HKDF
if
you are unsure.
TypeError
– This is raised if the provided
key_material
is
a
unicode
object
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match.
KBKDF (Key Based Key Derivation Function) is defined by the
NIST SP 800-108
document, to be used to derive additional
keys from a key that has been established through an automated
key-establishment scheme.
Warning
KBKDFHMAC should not be used for password storage.
mode
– The desired mode of the PRF. A value from the
Mode
enum.
length
(
int
) – The desired length of the derived key in bytes.
rlen
(
int
) – An integer that indicates the length of the binary
representation of the counter in bytes.
llen
(
int
) – An integer that indicates the binary
representation of the
length
in bytes.
location
– The desired location of the counter. A value from the
CounterLocation
enum.
label
(
bytes
) – Application specific label information. If
None
is explicitly passed an empty byte string will be used.
context
(
bytes
) – Application specific context information. If
None
is explicitly passed an empty byte string will be used.
fixed
(
bytes
) – Instead of specifying
label
and
context
you
may supply your own fixed data. If
fixed
is specified,
label
and
context
is ignored.
break_location
(
int
) – A keyword-only argument. An integer that
indicates the bytes offset where counter bytes are to be located.
Required when
location
is
MiddleFixed
.
Raises
:
TypeError
– This exception is raised if
label
or
context
is not
bytes
. Also raised if
rlen
,
llen
, or
break_location
is not
int
.
ValueError
– This exception is raised if
rlen
or
llen
is greater than 4 or less than 1. This exception is also raised if
you specify a
label
or
context
and
fixed
. This exception
is also raised if you specify
break_location
and
location
is not
MiddleFixed
.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match.
KBKDF (Key Based Key Derivation Function) is defined by the
NIST SP 800-108
document, to be used to derive additional
keys from a key that has been established through an automated
key-establishment scheme.
Warning
KBKDFCMAC should not be used for password storage.
mode
– The desired mode of the PRF. A value from the
Mode
enum.
length
(
int
) – The desired length of the derived key in bytes.
rlen
(
int
) – An integer that indicates the length of the binary
representation of the counter in bytes.
llen
(
int
) – An integer that indicates the binary
representation of the
length
in bytes.
location
– The desired location of the counter. A value from the
CounterLocation
enum.
label
(
bytes
) – Application specific label information. If
None
is explicitly passed an empty byte string will be used.
context
(
bytes
) – Application specific context information. If
None
is explicitly passed an empty byte string will be used.
fixed
(
bytes
) – Instead of specifying
label
and
context
you
may supply your own fixed data. If
fixed
is specified,
label
and
context
is ignored.
break_location
(
int
) – A keyword-only argument. An integer that
indicates the bytes offset where counter bytes are to be located.
Required when
location
is
MiddleFixed
.
TypeError
– This exception is raised if
label
or
context
is not
bytes
,
rlen
,
llen
, or
break_location
is not
int
,
mode
is not
Mode
or
location
is not
CounterLocation
.
ValueError
– This exception is raised if
rlen
or
llen
is greater than 4 or less than 1. This exception is also raised if
you specify a
label
or
context
and
fixed
. This exception
is also raised if you specify
break_location
and
location
is not
MiddleFixed
.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match.
class
cryptography.hazmat.primitives.kdf.kbkdf.
Mode
[source]
An enumeration for the key based key derivative modes.
X963KDF (ANSI X9.63 Key Derivation Function) is defined by ANSI
in the
ANSI X9.63:2001
document, to be used to derive keys for use
after a Key Exchange negotiation operation.
SECG in
SEC 1 v2.0
recommends that
ConcatKDFHash
be
used for new projects. This KDF should only be used for backwards
compatibility with pre-existing protocols.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match.
key_material
(
bytes
) – The input key material. Depending on what
key derivation function you are using this
could be either random bytes, or a user
supplied password.
This checks whether deriving a new key from the supplied
key_material
generates the same key as the
expected_key
, and
raises an exception if they do not match. This can be used for
something like checking whether a user’s password attempt matches the
stored derived key.