Score:0

Is AES GCM with PBKDF2 100k iterations still ok as of 2022?

us flag

Is using AES GCM with PBKDF2 and 100 000 iterations still considered secure as of 2022?

In our threat model, if we ignore the risks linked to quantum computing, is this secure?

Here is an example working Python implementation:

import Crypto.Random, Crypto.Protocol.KDF, Crypto.Cipher.AES
plaintext = b"hello world hello world hello world hello world hello world"
password = b"correct horse battery staple"
nonce = Crypto.Random.new().read(16)
key = Crypto.Protocol.KDF.PBKDF2(password, nonce, count=100000)
cipher = Crypto.Cipher.AES.new(key, Crypto.Cipher.AES.MODE_GCM, nonce=nonce, mac_len=16)
ciphertext = (nonce,) + cipher.encrypt_and_digest(plaintext)  # nonce | ciphertext | tag
print(ciphertext)

Note: using the same nonce for PBKDF2 and AES.new(...) seems not to be a problem if we never re-use this nonce for future encryptions, see Reusing PBKDF2 salt for AES/GCM as IV: dangerous?

forest avatar
vn flag
What qualities does it require for it to be "still OK" for your threat model? It's better to use a memory-hard KDF because PBKDF2 is easy to parallelize, but it's not like it's broken.
us flag
@forest By "OK", let's say resistant to an attacker who has 1 million $ budget of computing power as of 2022 for the specific task of cracking a given password-protected file :) (and no access to quantum computing).
forest avatar
vn flag
Then it depends on how strong the password is. 100,000 rounds of PBKDF2 for a given hash adds $\log_2(100000) \approx 16.6$ bits of entropy compared to a single round of that hash. If the password itself is already very strong, then you don't even _need_ PBKDF2. The only purpose of a slow KDF is to improve the security of passwords of marginal strength. If your password has only, say, 64 bits of entropy, then 1000,000 iterations would likely put it out of reach of the attacker you described.
us flag
@forest Let's say the passwords are 10 random looking alphanumeric characters (`a-zA-Z0-9`). Does 100k iterations of PBKDF2 make it out of reach of attackers nowadays? PS: I think your last comment can be turned into the answer.
Maarten Bodewes avatar
in flag
You can do the calculations yourself, see e.g. [here](https://www.wolframalpha.com/input?i=log_2%28%2826+%2B+26+%2B+10%29+%5E+10%29). So ~59.5 + ~16.6 = 76.1 bits of security, but that's assuming that the password is fully random, not just *random looking* to an attacker. Note that above is based on the full search, so you have 1 bit less security on average (I should have removed that one bit really).
us flag
Yes @MaartenBodewes, I was curious about how many bits of entropy is considered as "strong" for a password nowadays. > 70 bits seems ok, right?
Maarten Bodewes avatar
in flag
Depends on who you are up against, but let's say that I don't think that a casual hacker will try and break that. You'd need a large organization, botnet or government to hack just one password (assuming you are using random salts), so there will just be too many wasted CPU cycles. One problem is that humans are not good remembering 10 character fully random passwords - and if you use a key manager then you might as well use an even stronger one.
forest avatar
vn flag
Wrote answer based on one of my comments, as it seems to be the best that can be done based on the information provided.
Score:1
vn flag

It depends entirely on how strong the password is. 100,000 rounds of PBKDF2 for a password with a given hash adds the equivalent of $\log_2(100000) \approx 16.6$ bits of entropy compared to a single round of that hash. If the password itself is already very strong, then you don't even need PBKDF2. The only purpose of a slow KDF is to improve the security of passwords of marginal strength. If your password has only, say, 64 bits of entropy, then 1000,000 iterations would likely put it out of reach of an attacker with \$1M of assets, because 64 + 16.6 = 80.6 bits, which would likely cost more than \$1M to break.

It's better to use a memory-hard KDF. This isn't because PBKDF2 is broken per se, but is because an attacker can more easily scale up an attack due to hashing lending itself to extreme parallelism.

forest avatar
vn flag
@Slbox You should be using Argon2. An older algorithm that is also acceptable is bcrypt, but it's not nearly as good (it helps protect against GPUs, whereas Argon2 protects against GPUs and ASICs).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.