There are test vectors for PBKDF2-HMAC-SHA1 in RFC6070. There are test vectors for HMAC-SHA2 in RFC4231.
But so far I haven't found test vectors for PBKDF2-HMAC-SHA2 anywhere.
I'm most interested in SHA256, so I'll post some vectors I calculated with my implementation. I'd be happy if someone could verify/confirm them, or contribute their own.
On
Test vectors for PBKDF2-HMAC-SHA256:
Input values were taken from RFC6070; c is the number of rounds.
Input:
P = "password" (8 octets)
S = "salt" (4 octets)
c = 1
dkLen = 20
Output:
DK = 12 0f b6 cf fc f8 b3 2c 43 e7 22 52 56 c4 f8 37 a8 65 48 c9
Input:
P = "password" (8 octets)
S = "salt" (4 octets)
c = 2
dkLen = 20
Output:
DK = ae 4d 0c 95 af 6b 46 d3 2d 0a df f9 28 f0 6d d0 2a 30 3f 8e
Input:
P = "password" (8 octets)
S = "salt" (4 octets)
c = 4096
dkLen = 20
Output:
DK = c5 e4 78 d5 92 88 c8 41 aa 53 0d b6 84 5c 4c 8d 96 28 93 a0
Input:
P = "password" (8 octets)
S = "salt" (4 octets)
c = 16777216
dkLen = 20
Output:
DK = cf 81 c6 6f e8 cf c0 4d 1f 31 ec b6 5d ab 40 89 f7 f1 79 e8
Input:
P = "passwordPASSWORDpassword" (24 octets)
S = "saltSALTsaltSALTsaltSALTsaltSALTsalt" (36 octets)
c = 4096
dkLen = 25
Output:
DK = 34 8c 89 db cb d3 2b 2f 32 d8 14 b8 11 6e 84 cf
2b 17 34 7e bc 18 00 18 1c
Input:
P = "pass\0word" (9 octets)
S = "sa\0lt" (5 octets)
c = 4096
dkLen = 16
Output:
DK = 89 b6 9d 05 16 f8 29 89 3c 69 62 26 65 0a 86 87
As part of RFC-7914 (scrypt specifications) there are test vectors provided for PBKDF2 with HMAC-SHA-256 (since scrypt uses PBKDF2 internally).
Here they are:
PBKDF2-HMAC-SHA-256 (P="passwd", S="salt",
c=1, dkLen=64) =
55 ac 04 6e 56 e3 08 9f ec 16 91 c2 25 44 b6 05
f9 41 85 21 6d de 04 65 e6 8b 9d 57 c2 0d ac bc
49 ca 9c cc f1 79 b6 45 99 16 64 b3 9d 77 ef 31
7c 71 b8 45 b1 e3 0b d5 09 11 20 41 d3 a1 97 83
PBKDF2-HMAC-SHA-256 (P="Password", S="NaCl",
c=80000, dkLen=64) =
4d dc d8 f6 0b 98 be 21 83 0c ee 5e f2 27 01 f9
64 1a 44 18 d0 4c 04 14 ae ff 08 87 6b 34 ab 56
a1 d4 25 a1 22 58 33 54 9a db 84 1b 51 c9 b3 17
6a 27 2b de bb a1 d0 78 47 8f 62 b3 97 f3 3c 8d
Interestingly, dkLen goes over 32 (the size of a SHA-256 block), so it does test that the concatenation of the intermediate hash blocks works.
On
I should probably finally post what I did awhile ago based on this very question!
At my Github repository, I have compiled test vectors for
Tests started with RFC6070 and those in the answer by @ChristianAichinger above for PBKDF2-HMAC-SHA-256, and added a few dozen more to implement more stringent tests, such as boundary conditions around certain sizes of password and salt (15/16/17 bytes, 63/64/65 bytes, 127/128/129 bytes, 1025 bytes etc.), large iteration counts, large output size counts, and so on and so forth.
I then gathered up many instances of PBKDF2, and validated these test vectors against every major implementation I was able to find (all also included in the above repository, sometimes including Windows MinGW executables and generally including Linux compilation instructions), including
Given that I'm seeing identical results across 7 implementations using 5 different languages using multiple major cryptographic libraries, I'm extremely confident that not only are the test vectors provided accurate, but that the implementations provided can be used as a set to validate any other test vector set desired. If they all agree, then it's correct.
I implemented PBKDF2 using the standard hashlib and hmac modules in Python and checked the output against both the RFC 6070 vectors and the vectors you posted – it matches.
Here are the vectors I get with a larger
dkLento match the larger digest output size. This is the output ofpbkdf2-test-vectors.py sha256, which takes about 10 minutes to run.