The Passlib documentation has moved to https://passlib.readthedocs.io

passlib.utils.pbkdf2 - PBKDF2 key derivation algorithm [deprecated]

Warning

This module has been deprecated as of Passlib 1.7, and will be removed in Passlib 2.0. The functions in this module have been replaced by equivalent (but not identical) functions in the passlib.crypto module.

This module provides a couple of key derivation functions, as well as supporting utilities. Primarily, it offers pbkdf2(), which provides the ability to generate an arbitrary length key using the PBKDF2 key derivation algorithm, as specified in rfc 2898. This function can be helpful in creating password hashes using schemes which have been based around the pbkdf2 algorithm.

PKCS#5 Key Derivation Functions

passlib.utils.pbkdf2.pbkdf1(secret, salt, rounds, keylen=None, hash='sha1')

pkcs#5 password-based key derivation v1.5

Parameters:
  • secret – passphrase to use to generate key
  • salt – salt string to use when generating key
  • rounds – number of rounds to use to generate key
  • keylen – number of bytes to generate (if None, uses digest’s native size)
  • hash – hash function to use. must be name of a hash recognized by hashlib.
Returns:

raw bytes of generated key

Note

This algorithm has been deprecated, new code should use PBKDF2. Among other limitations, keylen cannot be larger than the digest size of the specified hash.

Deprecated since version 1.7: This has been relocated to passlib.crypto.digest.pbkdf1(), and this version will be removed in Passlib 2.0. Note the call signature has changed.

passlib.utils.pbkdf2.pbkdf2(secret, salt, rounds, keylen=None, prf='hmac-sha1')

pkcs#5 password-based key derivation v2.0

Parameters:
  • secret – passphrase to use to generate key
  • salt – salt string to use when generating key
  • rounds – number of rounds to use to generate key
  • keylen – number of bytes to generate. if set to None, will use digest size of selected prf.
  • prf

    psuedo-random family to use for key strengthening. this must be a string starting with "hmac-", followed by the name of a known digest. this defaults to "hmac-sha1" (the only prf explicitly listed in the PBKDF2 specification)
Returns:

raw bytes of generated key

Deprecated since version 1.7: This has been deprecated in favor of passlib.crypto.digest.pbkdf2_hmac(), and will be removed in Passlib 2.0. Note the call signature has changed.

Note

The details of PBKDF1 and PBKDF2 are specified in RFC 2898.

Helper Functions

passlib.utils.pbkdf2.norm_hash_name(name, format='hashlib')

Normalize hash function name (convenience wrapper for lookup_hash()).

arg name:

Original hash function name.

This name can be a Python hashlib digest name, a SCRAM mechanism name, IANA assigned hash name, etc. Case is ignored, and underscores are converted to hyphens.
param format:

Naming convention to normalize to. Possible values are:

  • "hashlib" (the default) - normalizes name to be compatible with Python’s hashlib.
  • "iana" - normalizes name to IANA-assigned hash function name. For hashes which IANA hasn’t assigned a name for, this issues a warning, and then uses a heuristic to return a “best guess” name.
returns:

Hash name, returned as native str.

Deprecated since version 1.7: and will be removed in version 1.8, use passlib.crypto.digest.norm_hash_name instead.

passlib.utils.pbkdf2.get_prf(name)

Lookup pseudo-random family (PRF) by name.

Parameters:

name

This must be the name of a recognized prf. Currently this only recognizes names with the format hmac-digest, where digest is the name of a hash function such as md5, sha256, etc.

todo: restore text about callables.
Raises:
  • ValueError – if the name is not known
  • TypeError – if the name is not a callable or string
Returns:

a tuple of (prf_func, digest_size), where:

  • prf_func is a function implementing the specified PRF, and has the signature prf_func(secret, message) -> digest.
  • digest_size is an integer indicating the number of bytes the function returns.

Usage example:

>>> from passlib.utils.pbkdf2 import get_prf
>>> hmac_sha256, dsize = get_prf("hmac-sha256")
>>> hmac_sha256
<function hmac_sha256 at 0x1e37c80>
>>> dsize
32
>>> digest = hmac_sha256('password', 'message')

Deprecated since version 1.7: This function is deprecated, and will be removed in Passlib 2.0. This only related replacement is passlib.crypto.digest.compile_hmac().