Blame - docs/hazmat/primitives/key-derivation-functions.rst - platform/external/python/cryptography

blob: 661b46114023354e249777fb10e0581680ec066e [file] [log] [blame]

Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	1	.. hazmat::
				2
				3	Key Derivation Functions
				4	========================
				5
				6	.. currentmodule:: cryptography.hazmat.primitives.kdf
				7
				8	Key derivation functions derive key material from information such as passwords
				9	using a pseudo-random function (PRF).
				10
Paul Kehrer	b3f763f	2014-01-28 16:42:15 -0600	[diff] [blame^]	11	.. class:: PBKDF2HMAC(algorithm, length, salt, iterations, backend):
Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	12
Paul Kehrer	5d1af21	2014-01-28 12:19:32 -0600	[diff] [blame]	13	.. versionadded:: 0.2
				14
				15	This class conforms to the
				16	:class:`~cryptography.hazmat.primitives.interfaces.KeyDerivationFunction`
				17	interface.
				18
Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	19	.. doctest::
				20
Paul Kehrer	5d1af21	2014-01-28 12:19:32 -0600	[diff] [blame]	21	>>> import os
				22	>>> from cryptography.hazmat.primitives import hashes
Paul Kehrer	b3f763f	2014-01-28 16:42:15 -0600	[diff] [blame^]	23	>>> from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	24	>>> from cryptography.hazmat.backends import default_backend
				25	>>> backend = default_backend()
				26	>>> salt = os.urandom(16)
				27	>>> # derive
Paul Kehrer	b3f763f	2014-01-28 16:42:15 -0600	[diff] [blame^]	28	>>> kdf = PBKDF2HMAC(
				29	... algorithm=hashes.SHA256(),
				30	... length=32,
				31	... salt=salt,
				32	... iterations=50000,
				33	... backend=backend
				34	... )
Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	35	>>> key = kdf.derive(b"my great password")
				36	>>> # verify
Paul Kehrer	b3f763f	2014-01-28 16:42:15 -0600	[diff] [blame^]	37	>>> kdf = PBKDF2HMAC(
				38	... algorithm=hashes.SHA256(),
				39	... length=32,
				40	... salt=salt,
				41	... iterations=50000,
				42	... backend=backend
				43	... )
Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	44	>>> kdf.verify(b"my great password", key)
Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	45
Paul Kehrer	5d1af21	2014-01-28 12:19:32 -0600	[diff] [blame]	46	:param algorithm: An instance of a
				47	:class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
				48	provider.
				49	:param int length: The desired length of the derived key. Maximum is
Paul Kehrer	b3f763f	2014-01-28 16:42:15 -0600	[diff] [blame^]	50	(2\ :sup:`32` - 1) * ``algorithm.digest_size``.
Paul Kehrer	5d1af21	2014-01-28 12:19:32 -0600	[diff] [blame]	51	:param bytes salt: A salt. `NIST SP 800-132`_ recommends 128-bits or
				52	longer.
				53	:param int iterations: The number of iterations to perform of the hash
Paul Kehrer	b3f763f	2014-01-28 16:42:15 -0600	[diff] [blame^]	54	function. See OWASP's `Password Storage Cheat Sheet`_ for more
				55	detailed recommendations.
Paul Kehrer	5d1af21	2014-01-28 12:19:32 -0600	[diff] [blame]	56	:param backend: A
				57	:class:`~cryptography.hazmat.backends.interfaces.CipherBackend`
				58	provider.
Paul Kehrer	b6d764c	2014-01-27 22:32:11 -0600	[diff] [blame]	59
				60	.. _`NIST SP 800-132`: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
Paul Kehrer	b3f763f	2014-01-28 16:42:15 -0600	[diff] [blame^]	61	.. _`Password Storage Cheat Sheet`: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet