SHA1 use in PBKDF2

“When initialized with a passphrase SQLCipher derives the key data using PBKDF2 (OpenSSL’s PKCS5_PBKDF2_HMAC_SHA1).”

s it possible to configure it to use SHA2?

Hello @drcrypto

We do not provide a means to change the KDF used within SQLCipher at runtime. That said, it would likely be prudent to use a KDF if you wished to replace PBKDF2 as opposed to a hashing function like SHA-2 as a KDF will contain some form of random properties to it.

Sorry, what I meant is can SHA256 be used instead of SHA1 within the PKDF2?

Hello @drcrypto - It’s technically possible to do this, but it would require changes to the crypto provider interface that SQLCipher is using. You’d need to implement your own PBKDF2-HMAC-SHA256 routine, and then substitute it in a custom provider.

That said, within the context of PBKDF2 or HMAC, SHA1 is still quite suitable from a security standpoint. The only tangible benefit to changing to SHA256 is that it is slower than SHA1. However, that is somewhat offset by the fact that PBKDF2 invokes twice the number of operations to create a 256 bit key using SHA1 vs. SHA256. Furthermore, SQLCipher allows you to change the number of PBKDF2 iterations to compensate for growing hash rates. Finally, there are several downsides to changing the hash implementation, e.g.

  1. Changing to SHA256 it would impact compatibility with existing databases
  2. PBKDF2-HMAC-SHA256 is not implemented universally in the cryptographic modules we support (e.g. CommonCrypto, libtomcrypt), making interoperability difficult and potentially adding dependencies

As such, this is not something that we have planned for implementation in the short term, though we might consider it in the future. If I might ask, what is the primary reason you are interested in changing the hash algorithm behind PBKDF2?

Hi @drcrypto

Ah, in that case you could likely adjust the call to PKCS5_PBKDF2_HMAC and provide EVP_sha256() as the digest.

It has been three years since your last reply. Just being curious, Is there is any near future plans to introduce PBKDF2-HMAC-SHA256 or other key derivation function? or a PRAGMA may be so that we can open both old and new databases?

Hello @seema yes, we still have plans to support larger hash constructs in the future, e.g. SHA256. This wouldn’t be until a SQLCipher 4 release however.

That is a great news! Can you tell me a rough estimate when SQLCipher 4 beta will likely to happen.

As of the SQLCipher 4 release, HMAC-SHA512 and PBKDF2-HMAC-SHA512 are the defaults. It is possible to use HMAC-SHA256and PBKDF2-HMAC-SHA256 via PRAGMA as well. SHA1 support is still available to support older database formats and data migration scenarios.