CryptoSys API Library Manual

PBE_Kdf2

Derives a key of any length from a password using the PBKDF2 algorithm from PKCS #5.

VB6/VBA Syntax

Public Declare Function PBE_Kdf2 Lib "diCryptoSys.dll" (ByRef abDerivedKey As Byte, ByVal nKeyLen As Long, ByRef abPassword As Byte, ByVal nPwdLen As Long, ByRef abSalt As Byte, ByVal nSaltLen As Long, ByVal nCount As Long, ByVal nOptions As Long) As Long

nRet = PBE_Kdf2(abDerivedKey(0), nKeyLen, abPwdBytes(0), nPwdLen, abSalt(0), nSaltLen, nCount, nOptions)

Parameters

abDerivedKey
[out] Byte array to be filled with derived key.
nKeyLen
[in] Long specifying the size of the required key in bytes.
abPassword
[in] Byte array containing the password.
nPwdLen
[in] Long specifying the length of the password in bytes.
abSalt
[in] Byte array containing the salt.
nSaltLen
[in] Long specifying the length of the salt in bytes.
nCount
[in] Long specifying the required iteration count.
nOptions
[in] Long Option flags. Select one of:
HMAC with:
API_HASH_SHA1 (0) to use the SHA-1 hash algorithm (default)
API_HASH_MD5 to use the MD5 algorithm
API_HASH_SHA256 to use the SHA-256 algorithm
API_HASH_SHA384 to use the SHA-384 algorithm
API_HASH_SHA512 to use the SHA-512 algorithm
API_HASH_SHA224 to use the SHA-224 algorithm

C/C++ Syntax

long _stdcall PBE_Kdf2(unsigned char *dk, long dkLen, const unsigned char *pwd, long pwdLen, const unsigned char *salt, long saltLen, long count, long reserved);

Returns (VB6/C)

Long: If successful, the return value is 0; otherwise it returns a non-zero error code.

.NET Equivalent

Pbe.Kdf2 Method (Int32, Byte[], Byte[], Int32)

Remarks

The output buffer for the derived key abDerivedKey() must have been dimensioned to at least the required length. VB6 users should note the (0) in abDerivedKey(0), abPwdBytes(0) and abSalt(0).

Example

This example uses PBKDF2 as defined in PKCS #5 v2.0 from test vectors provided by Dr. Stephen Henson. The password is "password" (without quotes). This derived key is for the 'des-ede3-cbc' example in the test vectors and therefore needs to be 24 bytes long. 

    Dim abDerivedKey() As Byte
    Dim nKeyLen As Long
    Dim sPassword As String
    Dim abPwdBytes() As Byte
    Dim abSalt(7) As Byte
    Dim nCount As Long
    Dim nRet As Long
    
' Convert password String to an array of Bytes
    sPassword = "password"
    abPwdBytes = StrConv(sPassword, vbFromUnicode)
    
' Set 8-byte salt = 78 57 8E 5A 5D 63 CB 06
    abSalt(0) = &H78
    abSalt(1) = &H57
    abSalt(2) = &H8E
    abSalt(3) = &H5A
    abSalt(4) = &H5D
    abSalt(5) = &H63
    abSalt(6) = &HCB
    abSalt(7) = &H6
    
' Iteration count is 2048
    nCount = 2048
    
' Pre-dimension output for derived key to required length of 24 bytes
' (Don't forget to do this)
    nKeyLen = 24
    ReDim abDerivedKey(nKeyLen - 1)
    
' Derive PBKDF2 key using function from CryptoSys
    nRet = PBE_Kdf2(abDerivedKey(0), nKeyLen, _
      abPwdBytes(0), Len(sPassword), abSalt(0), 8&, nCount, 0&)
    
' Convert bytes to hex and print
    Debug.Print "Derived key = " & cnvHexStrFromBytes(abDerivedKey)
    Debug.Print "Correct key = BFDE6BE94DF7E11DD409BCE20A0255EC327CB936FFE93643"

This should result in output as follows:

Derived key = BFDE6BE94DF7E11DD409BCE20A0255EC327CB936FFE93643
Correct key = BFDE6BE94DF7E11DD409BCE20A0255EC327CB936FFE93643

Had we specified the required key length to be 64 bytes instead of 24, we would have generated this 512-bit key:

BFDE6BE94DF7E11DD409BCE20A0255EC327CB936FFE93643C4B150DEF7751122
4479994567F2E9B4E3BD0DF7AEDA3022B1F26051D81505C794F8940C04DF1144

This second example shows how other SHA-2 hash functions can be used.

    Dim abDerivedKey() As Byte
    Dim nKeyLen As Long
    Dim sPassword As String
    Dim abPwdBytes() As Byte
    Dim abSalt(7) As Byte
    Dim nSaltBytes As Long
    Dim nCount As Long
    Dim nRet As Long
    
' Convert password String to an array of Bytes
    sPassword = "password"
    abPwdBytes = StrConv(sPassword, vbFromUnicode)
    
' Set 8-byte salt = 78 57 8E 5A 5D 63 CB 06
    abSalt(0) = &H78
    abSalt(1) = &H57
    abSalt(2) = &H8E
    abSalt(3) = &H5A
    abSalt(4) = &H5D
    abSalt(5) = &H63
    abSalt(6) = &HCB
    abSalt(7) = &H6
    nSaltBytes = 8
    
' Iteration count is 2048
    nCount = 2048
    
' Pre-dimension output for derived key to required length of 24 bytes
' (Don't forget to do this)
    nKeyLen = 24
    ReDim abDerivedKey(nKeyLen - 1)
    
' Derive PBKDF2 key using function from CryptoSys API with default HMAC-SHA-1
    nRet = PBE_Kdf2(abDerivedKey(0), nKeyLen, _
      abPwdBytes(0), Len(sPassword), abSalt(0), nSaltBytes, nCount, API_HASH_SHA1)
' Convert bytes to hex and print
    Debug.Print "Derived key {HMAC-SHA-1}   = " & cnvHexStrFromBytes(abDerivedKey)
    
' Derive PBKDF2 key using function from CryptoSys API with HMAC-SHA-256
    nRet = PBE_Kdf2(abDerivedKey(0), nKeyLen, _
      abPwdBytes(0), Len(sPassword), abSalt(0), nSaltBytes, nCount, API_HASH_SHA256)
    Debug.Print "Derived key {HMAC-SHA-256} = " & cnvHexStrFromBytes(abDerivedKey)

' Derive PBKDF2 key using function from CryptoSys API with HMAC-SHA-224
    nRet = PBE_Kdf2(abDerivedKey(0), nKeyLen, _
      abPwdBytes(0), Len(sPassword), abSalt(0), nSaltBytes, nCount, API_HASH_SHA224)
    Debug.Print "Derived key {HMAC-SHA-224} = " & cnvHexStrFromBytes(abDerivedKey)

This should result in output as follows:

Derived key {HMAC-SHA-1}   = BFDE6BE94DF7E11DD409BCE20A0255EC327CB936FFE93643
Derived key {HMAC-SHA-256} = 97B5A91D35AF542324881315C4F849E327C4707D1BC9D322
Derived key {HMAC-SHA-224} = 10CFFEDFB13503519969151E466F587028E0720B387F9AEF

See Also

PBE_Kdf2Hex

[Contents] [Index]

[HOME]   [NEXT: PBE_Kdf2Hex...]
Copyright © 2001-11 D.I. Management Services Pty Ltd. All rights reserved.