What's the advantage of using PBKDF2 vs SHA256 to generate an AES encryption key from a passphrase?
I'm looking at two comparable pieces of software which encrypt data on disk using a passphrase. One uses PBKDF2 to generate the encryption key from a passphrase, while the other uses two rounds of SHA256. What's the difference? Is one preferred over the other?
The difference is that:
- PBKDF2 by design is slow
- SHA256 is a good hash function; it is not slow, by design
So if someone were to try a lot of different possible passphrases, say the whole dictionary, then each word with a digit appended, then each word with a different capitalisation, then two dictionary words, etc. then this process would be much slower with PBKDF2.
But if your passphrase is truly secure, that is very long, pretty random and out of reach of any systematic enumeration process, then it makes no practical difference, except that an attacker may spend more resources trying to break your passphrase (or maybe less if they decide to give up sooner).
Couldn't that still be thwarted by mirroring the DB file thousands of times and using a coordinated multi-threaded brute force attack? It seems almost as if PBKDF2 may be (counterintuitively) most secure in a monitored online environment with backend threat detection monitoring in a physically ultra secure server room.
@AminM That it's **"cryptographically slow"(1) is PBKDF2's advantage.** (1) I just made up that phrase, I mean that it would require a huge breakthrough in crypto breakage of the underlying cryptographic hash function to make it a lot more efficient. (Making hardware with more op per second doesn't count.)