pbkdf2 iteration and openssl iv

  1. What does iteration mean for http://php.net/manual/en/function.hash-pbkdf2.php ?
    and how length is a reasonable for this iteration parameters?

  2. If I use a random number for openssl_encrypt, where should I store it to get it for openssl_decrypt? Should I append it with a separator at the end of encoded string? if yes, is it secure as everyone can see that number at the end of that encoded string?

  1. see https://en.wikipedia.org/wiki/PBKDF2 for a detailed explanation. put simply, the iteration is a measure for how long it takes to to generate a key. length and iteration number are not correlated. it is recommended that the iteration number should be 4,000 or higher.

  2. the IV is required for decrypting (a measure against certain types of attacks), so you have to store it somewhere. there is no need to keep it secret, as long as you keep the password safe.

  3. use password_hash() or bcrypt (depending on what you want to do). they’re stronger than pbkdf2 and easier to use (e.g. crypt uses a fixed length IV (depending on the block size of the cipher), so you don’t need a separator, just append or prepend the IV)

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.