crypto.pbkdf2Sync(password, salt, iterations, keylen, digest)

版本历史

版本	变更
v14.0.0	参数 `iterations` 现在限制为正值。早期版本将其他值视为一。
v6.0.0	现在不推荐在不传入 `digest` 参数的情况下调用此函数，并将触发警告。
v6.0.0	`password` 的默认编码，如果它是从 `binary` 更改为 `utf8` 的字符串。
v0.9.3	新增于: v0.9.3

password <string> | <Buffer> | <TypedArray> | <DataView>
salt <string> | <Buffer> | <TypedArray> | <DataView>
iterations <number>
keylen <number>
digest <string>
返回: <Buffer>

提供同步的基于密码的密钥派生函数 2 (PBKDF2) 实现。应用由 digest 指定的选定 HMAC 摘要算法以从 password、salt 和 iterations 导出请求字节长度 (keylen) 的密钥。

如果发生错误，将抛出 Error，否则派生密钥将作为 Buffer 返回。

iterations 参数必须是尽可能高的数字。迭代次数越多，派生密钥就越安全，但需要更长的时间才能完成。

salt 应该尽可能唯一。建议盐是随机的，长度至少为 16 字节。有关详细信息，请参阅 NIST SP 800-132。

当为 password 或 salt 传入字符串时，请考虑到当使用字符串作为加密 API 输入时的注意事项。

const {
  pbkdf2Sync,
} = await import('node:crypto');

const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');
console.log(key.toString('hex'));  // '3745e48...08d59ae'const {
  pbkdf2Sync,
} = require('node:crypto');

const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');
console.log(key.toString('hex'));  // '3745e48...08d59ae'

crypto.DEFAULT_ENCODING 属性可用于更改返回 derivedKey 的方式。但是，此属性已被弃用，应避免使用。

import crypto from 'node:crypto';
crypto.DEFAULT_ENCODING = 'hex';
const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 512, 'sha512');
console.log(key);  // '3745e48...aa39b34'const crypto = require('node:crypto');
crypto.DEFAULT_ENCODING = 'hex';
const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 512, 'sha512');
console.log(key);  // '3745e48...aa39b34'

可以使用 crypto.getHashes() 检索支持的摘要函数数组。

History

Version	Changes
v14.0.0	The `iterations` parameter is now restricted to positive values. Earlier releases treated other values as one.
v6.0.0	Calling this function without passing the `digest` parameter is deprecated now and will emit a warning.
v6.0.0	The default encoding for `password` if it is a string changed from `binary` to `utf8`.
v0.9.3	Added in: v0.9.3

password <string> | <Buffer> | <TypedArray> | <DataView>
salt <string> | <Buffer> | <TypedArray> | <DataView>
iterations <number>
keylen <number>
digest <string>
Returns: <Buffer>

Provides a synchronous Password-Based Key Derivation Function 2 (PBKDF2) implementation. A selected HMAC digest algorithm specified by digest is applied to derive a key of the requested byte length (keylen) from the password, salt and iterations.

If an error occurs an Error will be thrown, otherwise the derived key will be returned as a Buffer.

The iterations argument must be a number set as high as possible. The higher the number of iterations, the more secure the derived key will be, but will take a longer amount of time to complete.

The salt should be as unique as possible. It is recommended that a salt is random and at least 16 bytes long. See NIST SP 800-132 for details.

When passing strings for password or salt, please consider caveats when using strings as inputs to cryptographic APIs.

const {
  pbkdf2Sync,
} = await import('node:crypto');

const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');
console.log(key.toString('hex'));  // '3745e48...08d59ae'const {
  pbkdf2Sync,
} = require('node:crypto');

const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');
console.log(key.toString('hex'));  // '3745e48...08d59ae'

The crypto.DEFAULT_ENCODING property may be used to change the way the derivedKey is returned. This property, however, is deprecated and use should be avoided.

import crypto from 'node:crypto';
crypto.DEFAULT_ENCODING = 'hex';
const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 512, 'sha512');
console.log(key);  // '3745e48...aa39b34'const crypto = require('node:crypto');
crypto.DEFAULT_ENCODING = 'hex';
const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 512, 'sha512');
console.log(key);  // '3745e48...aa39b34'

An array of supported digest functions can be retrieved using crypto.getHashes().