NIST Special Publication 800-132
This Recommendation specifies techniques for the derivation of master keys from passwords or
passphrases to protect stored electronic data or data protection keys.
KEY WORDS: Password-Based Key Derivation Functions, Salt, Iteration Count, Protection of
data in storage
ii
1 Introduction
The randomness of cryptographic keys is essential for the security of cryptographic
applications. In some applications, such as the protection of electronically stored data,
passwords may be the only input required from the users who are eligible to access the
data. Due to the low entropy and possibly poor randomness of those passwords, they are
not suitable to be used directly as cryptographic keys.
This Recommendation specifies a family of password-based key derivation functions
(PBKDFs) for deriving cryptographic keys from passwords or passphrases for the
protection of electronically-stored data or for the protection of data protection keys.
2 Authority
This publication has been developed by the National Institute of Standards and
Technology (NIST) in furtherance of its statutory responsibilities under the Federal
Information Security Management Act (FISMA) of 2002, Public Law 107-347. NIST is
responsible for developing standards and guidelines, including minimum requirements
for federal information systems, but such standards and guidelines shall not apply to
national security systems.
This Recommendation has been prepared for use by Federal agencies. It may be used by
non-governmental organizations on a voluntary basis and is not subject to copyright.
(Attribution would be appreciated by NIST.)
Nothing in this document should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the
existing authorities of the Secretary of Commerce, Director of the OMB, or any other
federal official.
1
SP 800-132 Recommendation for Password-Based Key Derivation December 2010
Conformance testing for implementations of this Recommendation will be conducted
within the framework of the Cryptographic Module Validation Program (CMVP) and the
Cryptographic Algorithm Validation Program (CAVP). The requirements of this
Recommendation are indicated by the word “shall”. Some of these requirements may be
out-of-scope for CMVP or CAVP validation testing, and thus are the responsibility of
entities using, implementing, installing or configuring applications that incorporate this
Recommendation.
3 Definitions, Acronyms and Symbols
3.1 Definitions
Approved FIPS-approved and/or NIST-recommended. An algorithm or
technique that is 1) specified in a FIPS or NIST Recommendation;
or 2) adopted in a FIPS or NIST Recommendation; or 3) specified
in a list of NIST-approved security functions.
Authenticated
encryption
A function in which plaintext is encrypted into ciphertext, and a
MAC is generated on the plaintext or ciphertext and, optionally, on
associated data that is not encrypted.
Cryptographic
algorithm
A well-defined computational procedure that takes variable inputs
that may include a cryptographic key to provide confidentiality,
data integrity, authentication and/or non-repudiation.
Cryptographic key
(key)
A binary string that is used as a parameter by a cryptographic
algorithm.
Data protection key A key or a set of keys used to protect or recover data, verify the
authenticity or integrity of the protected data or to protect the
private key used to generate digital signatures.
Decryption The process of transforming ciphertext into plaintext using a
cryptographic algorithm and key.
Digest size The output length of a hash function.
Encryption The process of transforming plaintext into ciphertext using a
cryptographic algorithm and key.
Entropy A measure of the amount of uncertainty in an unknown value.
Iteration count The number of times that the pseudorandom function is called to
generate a block of keying material.
Key See cryptographic key.