1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<refentry xml:id="function.openssl-pbkdf2" xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink">
<refnamediv>
<refname>openssl_pbkdf2</refname>
<refpurpose>Generates a PKCS5 v2 PBKDF2 string</refpurpose>
</refnamediv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<type class="union"><type>string</type><type>false</type></type><methodname>openssl_pbkdf2</methodname>
<methodparam><modifier role="attribute">#[\SensitiveParameter]</modifier><type>string</type><parameter>password</parameter></methodparam>
<methodparam><type>string</type><parameter>salt</parameter></methodparam>
<methodparam><type>int</type><parameter>key_length</parameter></methodparam>
<methodparam><type>int</type><parameter>iterations</parameter></methodparam>
<methodparam choice="opt"><type>string</type><parameter>digest_algo</parameter><initializer>"sha1"</initializer></methodparam>
</methodsynopsis>
<para>
<function>openssl_pbkdf2</function> computes PBKDF2 (Password-Based Key Derivation Function 2),
a key derivation function defined in PKCS5 v2.
</para>
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<variablelist>
<varlistentry>
<term><parameter>password</parameter></term>
<listitem>
<para>
Password from which the derived key is generated.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>salt</parameter></term>
<listitem>
<para>
PBKDF2 recommends a crytographic salt of at least 128 bits (16 bytes).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>key_length</parameter></term>
<listitem>
<para>
Length of desired output key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>iterations</parameter></term>
<listitem>
<para>
The number of iterations desired.
<link xlink:href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf">NIST
recommends at least 1,000</link>. As of 2023, OWASP recommends 600,000 iterations for
PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><parameter>digest_algo</parameter></term>
<listitem>
<para>
Optional hash or digest algorithm from <function>openssl_get_md_methods</function>. Defaults
to SHA-1. It is recommended to set it to SHA-256 or SHA-512.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 role="returnvalues">
&reftitle.returnvalues;
<para>
Returns raw binary string&return.falseforfailure;.
</para>
</refsect1>
<refsect1 role="examples">
&reftitle.examples;
<para>
<example>
<title>openssl_pbkdf2() example</title>
<programlisting role="php">
<![CDATA[
<?php
$password = 'password';
$salt = openssl_random_pseudo_bytes(16);
$keyLength = 20;
$iterations = 600000;
$generated_key = openssl_pbkdf2($password, $salt, $keyLength, $iterations, 'sha256');
echo bin2hex($generated_key)."\n";
echo base64_encode($generated_key)."\n";
?>
]]>
</programlisting>
</example>
</para>
</refsect1>
<refsect1 role="seealso">
&reftitle.seealso;
<para>
<simplelist>
<member><function>hash_pbkdf2</function></member>
<member><function>openssl_get_md_methods</function></member>
</simplelist>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->
|
