openssl_pbkdf2
Generates a PKCS5 v2 PBKDF2 string
Description
stringfalse openssl_pbkdf2(
#[\SensitiveParameter]string $password,
string $salt,
int $key_length,
int $iterations,
string $digest_algo = "sha1"
)
Parameters
-
password
-
Password from which the derived key is generated.
-
salt
-
PBKDF2 recommends a crytographic salt of at least 128 bits (16 bytes).
-
key_length
-
Length of desired output key.
-
iterations
-
The number of iterations desired.
» NIST
recommends at least 1,000. As of 2023, OWASP recommends 600,000 iterations for
PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.
-
digest_algo
-
Optional hash or digest algorithm from openssl_get_md_methods. Defaults
to SHA-1. It is recommended to set it to SHA-256 or SHA-512.
Return Values
Returns raw binary string or false on failure.
Examples
Example #1 openssl_pbkdf2() example
<?php
$password = 'password';
$salt = openssl_random_pseudo_bytes(16);
$keyLength = 20;
$iterations = 600000;
$generated_key = openssl_pbkdf2($password, $salt, $keyLength, $iterations, 'sha256');
echo bin2hex($generated_key)."\n";
echo base64_encode($generated_key)."\n";
?>
See Also
- hash_pbkdf2
- openssl_get_md_methods