crypto.pbkdf2() Method in Node.js

The crypto.pbkdf2() method in Node.js implements the Password-Based Key Derivation Function 2 (PBKDF2) algorithm. It derives a cryptographic key from a password using a salt and multiple iterations to enhance security against brute-force attacks.

Syntax

crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)

Parameters

The parameters are described as follows:

• password - The password string used for key derivation. Accepts string, Buffer, TypedArray, or DataView.

• salt - A cryptographic salt to prevent rainbow table attacks. Same types as password.

• iterations - Number of iterations to perform. Higher values increase security but take more time.

• keylen - The desired byte length of the derived key (number).

• digest - The hash algorithm to use (default: 'sha1'). Common values: 'sha256', 'sha512'.

• callback - Function called with (err, derivedKey) when operation completes.

Basic Example

// Importing the crypto module
const crypto = require('crypto');

// Basic PBKDF2 key derivation
crypto.pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
    if (err) throw err;
    console.log("Key Derived:", derivedKey.toString('hex'));
});

Key Derived: 3745e482c6e0ade35da10139e797157f4a5da669dad7d5da88ef87e47471cc47ed941c7ad618e827304f083f8707f12b7cfdd5f489b782f10cc269e3c08d59ae

Multiple Output Formats

// Importing the crypto module
const crypto = require('crypto');

// PBKDF2 with different output formats
crypto.pbkdf2('secret', 'salt', 100, 64, 'sha1', (err, derivedKey) => {
    if (err) throw err;
    
    console.log("Key as Buffer:", derivedKey);
    console.log("Key in hex:", derivedKey.toString('hex'));
    console.log("Key in base64:", derivedKey.toString('base64'));
});

Key as Buffer: 
Key in hex: b73635f7c0882e1fc3ba6e29b14af1274df84828b4d18fcc222eb574455f505d3d2319132d84e191a783e200734e374a24b62cfab65dfb5e9dc28ae147072419
Key in base64: tzY198CILh/Dum4psUrxJ034SCi00Y/MIi61dEVfUF09IxkTLYThkaeD4gBzTjdKJLYs+rZd+16dworhRwckGQ==

Secure Password Hashing Example

const crypto = require('crypto');

// Generate random salt for better security
const salt = crypto.randomBytes(16);

crypto.pbkdf2('userPassword123', salt, 100000, 32, 'sha256', (err, derivedKey) => {
    if (err) throw err;
    
    console.log("Salt:", salt.toString('hex'));
    console.log("Derived Key:", derivedKey.toString('hex'));
    console.log("Key length:", derivedKey.length, "bytes");
});

Salt: a1b2c3d4e5f6789012345678901234ab
Derived Key: 8f2a3b4c5d6e7f8091a2b3c4d5e6f708192a3b4c5d6e7f8091a2b3c4d5e6f708
Key length: 32 bytes

Key Points

• Security: Use high iteration counts (100,000+) and random salts for password storage

• Performance: Higher iterations increase security but reduce performance

• Algorithm: SHA-256 or SHA-512 are preferred over SHA-1 for new applications

• Salt: Always use unique, random salts for each password

Conclusion

The crypto.pbkdf2() method is essential for secure password hashing and key derivation. Use high iteration counts and random salts to maximize security against attacks.