GitHub link to the website code: https://github.com/Benedict-Kpaduwa/PBKDF2-Project/
Storing and transmitting information securely, as well as ensuring its integrity, authenticity, and confidentiality are some of the most important problems faced within a field of cryptography. There are all kinds of encrypting, hashing and signing algorithms, all relying on some secret password.
One of the biggest problems of these password is the human factor. Many people tend to choose these in a way that is easy to remember, reuse them in different settings (platforms, accounts, at work and at home).
A way to mitigate this is to derive a complex key from a password in such a way, that reverting the said key back into the secret password would either be infeasible for an attacker, or it would slow them down enough, to consider such a key secure.
In this teaching aide we will talk about one of such key derivation functions, PBKDF2. We will cover its history, algorithm of work, use cases. We will also discuss its advantages and disadvantages, as well as some of its alternatives.
Now that we are familiar with PBKDF2, it is a good idea to check the knowledge and understanding of the topic with a simple quiz-game that can be accessed via the link below.
https://pbkdf-2-project.vercel.app
Teaching Aide: Walkthrough:
What is the weakest part of any system? Some can argue it is its users. They get to interact with the system the most, constantly creating opportunities for attackers to exploit. Such opportunities can arise from social engineering, user’s lack of understanding of some key concept of the system, or from something simple as password creation.
Whether done without knowing possible consequences, or simply for the sake of convenience, many of us choose passwords that are simple, easy to remember, and, as a matter of fact, easy to pick by an attacker.
As one can guess, simply telling users about such a problem will not do much with their password-making behavior. We need ways to mitigate user’s weak passwords while still allowing them to choose something they could comfortably use. This is where the topic of our teaching aid, PBKDF2, comes in.
We start our teaching aid by first going over the history component of Key Derivation Functions (KDF’s), specifically, what is the reason for their existence, and in what context are they applied. We briefly introduce PBKDF2 and its predecessor PBKDF1. We then proceed to discuss the HMAC, which itself allows to ensure message integrity and authenticity, but which can also be used as a Pseudo-Random Function (PRF), a key component within PBKDF2.
After discussing HMAC, our teaching aide opens a topic on how PBKDF2 works at every step of its execution. Covering everything, from what inputs it takes and what preliminary checks and assisting values are calculated, to then proceeding to follow every round of calculation, showing where and why each variable is used and how they all combine in the final output – the key.
Once the most technical details are out of the way, our teaching aide then jumps back into the topic of history, only this time, it covers not how we came to use KDF’s, but how specifically PBKDF2 evolved and came to be a standard. Here, we also give a small foreshadowing to the future of PBKDF2.
From then on, main topics are advantages and disadvantages of PBKDF2. Here, we also talk about PBKDF2’s wide adoption around the world (with detailed examples of where it is used), as well as about its critical vulnerability, that lead to several severe breaches. We show how Bitwarden (a password manager) uses PBKDF2 to turn a password into a cryptographic key, such as the Master Key, how it is stretched, and how this key is used to generate a hash that will be used for authentication without Bitwarden knowing.
This leads to the final part of our teaching aide, the alternatives to PBKDF2. We discuss three of them, showing their strengths and weaknesses.
We then end our teaching aide with an idea that despite availability of better alternatives, it is still important to understand what PBKDF2 is and where and how it is used due to its massive adoption within the IT industry. This knowledge would allow identifying whether the usage of PBKDF2 is justified in different scenarios, and whether immediate action to replace it is needed.
After the presentation, we have created a learning platform for the students to test their knowledge about PBKDF2 in a question-based format.
Discussion Questions:
1) What are the advantages and limitations of PBKF2?
2) How do PBKDF2 iterations affect security and performance?
3) PBKDF2 has been widely adopted globally, but it also has known vulnerabilities. Why is it still being used despite these weaknesses?
4) How does HMAC help in the function of PBKDF2, and why is it an essential component?