crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)
password
<string> | <Buffer> | <TypedArray> | <DataView>salt
<string> | <Buffer> | <TypedArray> | <DataView>iterations
<number>keylen
<number>digest
<string>callback
<Function>
提供异步基于密码的密钥派生函数 2 (PBKDF2) 实现。
应用由 digest
指定的选定 HMAC 摘要算法以从 password
、salt
和 iterations
导出请求字节长度 (keylen
) 的密钥。
提供的 callback
函数使用两个参数调用:err
和 derivedKey
。
如果在派生密钥时发生错误,则设置 err
;否则 err
将是 null
。
默认情况下,成功生成的 derivedKey
将作为 Buffer
传给回调。
如果任何输入参数指定了无效的值或类型,则会抛出错误。
如果 digest
是 null
,则将使用 'sha1'
。
此行为已弃用,请显式指定 digest
。
iterations
参数必须是尽可能高的数字。
迭代次数越多,派生密钥就越安全,但需要更长的时间才能完成。
salt
应该尽可能唯一。
建议盐是随机的,长度至少为 16 字节。
有关详细信息,请参阅 NIST SP 800-132。
const crypto = require('crypto');
crypto.pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
if (err) throw err;
console.log(derivedKey.toString('hex')); // '3745e48...08d59ae'
});
crypto.DEFAULT_ENCODING
属性可用于更改 derivedKey
传给回调的方式。
但是,此属性已被弃用,应避免使用。
const crypto = require('crypto');
crypto.DEFAULT_ENCODING = 'hex';
crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, derivedKey) => {
if (err) throw err;
console.log(derivedKey); // '3745e48...aa39b34'
});
可以使用 crypto.getHashes()
检索支持的摘要函数数组。
此 API 使用 libuv 的线程池,这对某些应用程序可能会产生意外的负面性能影响;有关更多信息,请参阅 UV_THREADPOOL_SIZE
文档。
password
<string> | <Buffer> | <TypedArray> | <DataView>salt
<string> | <Buffer> | <TypedArray> | <DataView>iterations
<number>keylen
<number>digest
<string>callback
<Function>
Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)
implementation. A selected HMAC digest algorithm specified by digest
is
applied to derive a key of the requested byte length (keylen
) from the
password
, salt
and iterations
.
The supplied callback
function is called with two arguments: err
and
derivedKey
. If an error occurs while deriving the key, err
will be set;
otherwise err
will be null
. By default, the successfully generated
derivedKey
will be passed to the callback as a Buffer
. An error will be
thrown if any of the input arguments specify invalid values or types.
If digest
is null
, 'sha1'
will be used. This behavior is deprecated,
please specify a digest
explicitly.
The iterations
argument must be a number set as high as possible. The
higher the number of iterations, the more secure the derived key will be,
but will take a longer amount of time to complete.
The salt
should be as unique as possible. It is recommended that a salt is
random and at least 16 bytes long. See NIST SP 800-132 for details.
const crypto = require('crypto');
crypto.pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
if (err) throw err;
console.log(derivedKey.toString('hex')); // '3745e48...08d59ae'
});
The crypto.DEFAULT_ENCODING
property can be used to change the way the
derivedKey
is passed to the callback. This property, however, has been
deprecated and use should be avoided.
const crypto = require('crypto');
crypto.DEFAULT_ENCODING = 'hex';
crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, derivedKey) => {
if (err) throw err;
console.log(derivedKey); // '3745e48...aa39b34'
});
An array of supported digest functions can be retrieved using
crypto.getHashes()
.
This API uses libuv's threadpool, which can have surprising and
negative performance implications for some applications; see the
UV_THREADPOOL_SIZE
documentation for more information.