array ( 0 => 'index.php', 1 => 'PHP Manual', ), 'head' => array ( 0 => 'UTF-8', 1 => 'en', ), 'this' => array ( 0 => 'function.openssl-pbkdf2.php', 1 => 'openssl_pbkdf2', 2 => 'Generates a PKCS5 v2 PBKDF2 string', ), 'up' => array ( 0 => 'ref.openssl.php', 1 => 'OpenSSL Functions', ), 'prev' => array ( 0 => 'function.openssl-password-verify.php', 1 => 'openssl_password_verify', ), 'next' => array ( 0 => 'function.openssl-pkcs12-export.php', 1 => 'openssl_pkcs12_export', ), 'alternatives' => array ( ), 'source' => array ( 'lang' => 'en', 'path' => 'reference/openssl/functions/openssl-pbkdf2.xml', ), 'history' => array ( ), ); $setup["toc"] = $TOC; $setup["toc_deprecated"] = $TOC_DEPRECATED; $setup["parents"] = $PARENTS; manual_setup($setup); contributors($setup); ?>

openssl_pbkdf2

(PHP 5 >= 5.5.0, PHP 7, PHP 8)

openssl_pbkdf2Generates a PKCS5 v2 PBKDF2 string

Description

openssl_pbkdf2(
    #[\SensitiveParameter] string $password,
    string $salt,
    int $key_length,
    int $iterations,
    string $digest_algo = "sha1"
): string|false

openssl_pbkdf2() computes PBKDF2 (Password-Based Key Derivation Function 2), a key derivation function defined in PKCS5 v2.

Parameters

password

Password from which the derived key is generated.

salt

PBKDF2 recommends a crytographic salt of at least 128 bits (16 bytes).

key_length

Length of desired output key.

iterations

The number of iterations desired. » NIST recommends at least 1,000. As of 2023, OWASP recommends 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.

digest_algo

Optional hash or digest algorithm from openssl_get_md_methods(). Defaults to SHA-1. It is recommended to set it to SHA-256 or SHA-512.

Return Values

Returns raw binary string or false on failure.

Examples

Example #1 openssl_pbkdf2() example

<?php
$password = 'password';
$salt = openssl_random_pseudo_bytes(16);
$keyLength = 20;
$iterations = 600000;
$generated_key = openssl_pbkdf2($password, $salt, $keyLength, $iterations, 'sha256');
echo bin2hex($generated_key)."\n";
echo base64_encode($generated_key)."\n";
?>

See Also