rfc2898.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,738 行 · 第 1/5 页
TXT
1,738 行
solve for the 40-bit key. In the case that 40-bit key is the first
half of the 80-bit key, the opponent can then readily solve for the
remaining 40 bits of the 80-bit key.
To defend against such attacks, either the interaction between
multiple uses of the same key should be carefully analyzed, or the
salt should contain data that explicitly distinguishes between
different operations. For instance, the salt might have an
additional, non-random octet that specifies whether the derived key
is for encryption, for message authentication, or for some other
operation.
Based on this, the following is recommended for salt selection:
1. If there is no concern about interactions between multiple uses
of the same key (or a prefix of that key) with the password-
based encryption and authentication techniques supported for a
given password, then the salt may be generated at random and
need not be checked for a particular format by the party
receiving the salt. It should be at least eight octets (64
bits) long.
2. Otherwise, the salt should contain data that explicitly
distinguishes between different operations and different key
lengths, in addition to a random part that is at least eight
octets long, and this data should be checked or regenerated by
the party receiving the salt. For instance, the salt could have
an additional non-random octet that specifies the purpose of
the derived key. Alternatively, it could be the encoding of a
structure that specifies detailed information about the derived
key, such as the encryption or authentication technique and a
sequence number among the different keys derived from the
password. The particular format of the additional data is left
to the application.
Note. If a random number generator or pseudorandom generator is not
available, a deterministic alternative for generating the salt (or
the random part of it) is to apply a password-based key derivation
function to the password and the message M to be processed. For
instance, the salt could be computed with a key derivation function
as S = KDF (P, M). This approach is not recommended if the message M
Kaliski Informational [Page 7]
RFC 2898 Password-Based Cryptography September 2000
is known to belong to a small message space (e.g., "Yes" or "No"),
however, since then there will only be a small number of possible
salts.
4.2 Iteration Count
An iteration count has traditionally served the purpose of increasing
the cost of producing keys from a password, thereby also increasing
the difficulty of attack. For the methods in this document, a minimum
of 1000 iterations is recommended. This will increase the cost of
exhaustive search for passwords significantly, without a noticeable
impact in the cost of deriving individual keys.
5. Key Derivation Functions
A key derivation function produces a derived key from a base key and
other parameters. In a password-based key derivation function, the
base key is a password and the other parameters are a salt value and
an iteration count, as outlined in Section 3.
The primary application of the password-based key derivation
functions defined here is in the encryption schemes in Section 6 and
the message authentication scheme in Section 7. Other applications
are certainly possible, hence the independent definition of these
functions.
Two functions are specified in this section: PBKDF1 and PBKDF2.
PBKDF2 is recommended for new applications; PBKDF1 is included only
for compatibility with existing applications, and is not recommended
for new applications.
A typical application of the key derivation functions defined here
might include the following steps:
1. Select a salt S and an iteration count c, as outlined in
Section 4.
2. Select a length in octets for the derived key, dkLen.
3. Apply the key derivation function to the password, the salt,
the iteration count and the key length to produce a derived
key.
4. Output the derived key.
Any number of keys may be derived from a password by varying the
salt, as described in Section 3.
Kaliski Informational [Page 8]
RFC 2898 Password-Based Cryptography September 2000
5.1 PBKDF1
PBKDF1 applies a hash function, which shall be MD2 [6], MD5 [19] or
SHA-1 [18], to derive keys. The length of the derived key is bounded
by the length of the hash function output, which is 16 octets for MD2
and MD5 and 20 octets for SHA-1. PBKDF1 is compatible with the key
derivation process in PKCS #5 v1.5.
PBKDF1 is recommended only for compatibility with existing
applications since the keys it produces may not be large enough for
some applications.
PBKDF1 (P, S, c, dkLen)
Options: Hash underlying hash function
Input: P password, an octet string
S salt, an eight-octet string
c iteration count, a positive integer
dkLen intended length in octets of derived key,
a positive integer, at most 16 for MD2 or
MD5 and 20 for SHA-1
Output: DK derived key, a dkLen-octet string
Steps:
1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output
"derived key too long" and stop.
2. Apply the underlying hash function Hash for c iterations to the
concatenation of the password P and the salt S, then extract
the first dkLen octets to produce a derived key DK:
T_1 = Hash (P || S) ,
T_2 = Hash (T_1) ,
...
T_c = Hash (T_{c-1}) ,
DK = Tc<0..dkLen-1>
3. Output the derived key DK.
5.2 PBKDF2
PBKDF2 applies a pseudorandom function (see Appendix B.1 for an
example) to derive keys. The length of the derived key is essentially
unbounded. (However, the maximum effective search space for the
Kaliski Informational [Page 9]
RFC 2898 Password-Based Cryptography September 2000
derived key may be limited by the structure of the underlying
pseudorandom function. See Appendix B.1 for further discussion.)
PBKDF2 is recommended for new applications.
PBKDF2 (P, S, c, dkLen)
Options: PRF underlying pseudorandom function (hLen
denotes the length in octets of the
pseudorandom function output)
Input: P password, an octet string
S salt, an octet string
c iteration count, a positive integer
dkLen intended length in octets of the derived
key, a positive integer, at most
(2^32 - 1) * hLen
Output: DK derived key, a dkLen-octet string
Steps:
1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
stop.
2. Let l be the number of hLen-octet blocks in the derived key,
rounding up, and let r be the number of octets in the last
block:
l = CEIL (dkLen / hLen) ,
r = dkLen - (l - 1) * hLen .
Here, CEIL (x) is the "ceiling" function, i.e. the smallest
integer greater than, or equal to, x.
3. For each block of the derived key apply the function F defined
below to the password P, the salt S, the iteration count c, and
the block index to compute the block:
T_1 = F (P, S, c, 1) ,
T_2 = F (P, S, c, 2) ,
...
T_l = F (P, S, c, l) ,
where the function F is defined as the exclusive-or sum of the
first c iterates of the underlying pseudorandom function PRF
applied to the password P and the concatenation of the salt S
and the block index i:
Kaliski Informational [Page 10]
RFC 2898 Password-Based Cryptography September 2000
F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
where
U_1 = PRF (P, S || INT (i)) ,
U_2 = PRF (P, U_1) ,
...
U_c = PRF (P, U_{c-1}) .
Here, INT (i) is a four-octet encoding of the integer i, most
significant octet first.
4. Concatenate the blocks and extract the first dkLen octets to
produce a derived key DK:
DK = T_1 || T_2 || ... || T_l<0..r-1>
5. Output the derived key DK.
Note. The construction of the function F follows a "belt-and-
suspenders" approach. The iterates U_i are computed recursively to
remove a degree of parallelism from an opponent; they are exclusive-
ored together to reduce concerns about the recursion degenerating
into a small set of values.
6. Encryption Schemes
An encryption scheme, in the symmetric setting, consists of an
encryption operation and a decryption operation, where the encryption
operation produces a ciphertext from a message under a key, and the
decryption operation recovers the message from the ciphertext under
the same key. In a password-based encryption scheme, the key is a
password.
A typical application of a password-based encryption scheme is a
private-key protection method, where the message contains private-key
information, as in PKCS #8. The encryption schemes defined here would
be suitable encryption algorithms in that context.
Two schemes are specified in this section: PBES1 and PBES2. PBES2 is
recommended for new applications; PBES1 is included only for
compatibility with existing applications, and is not recommended for
new applications.
Kaliski Informational [Page 11]
RFC 2898 Password-Based Cryptography September 2000
6.1 PBES1
PBES1 combines the PBKDF1 function (Section 5.1) with an underlying
block cipher, which shall be either DES [15] or RC2(tm) [21] in CBC
mode [16]. PBES1 is compatible with the encryption scheme in PKCS #5
v1.5.
PBES1 is recommended only for compatibility with existing
applications, since it supports only two underlying encryption
schemes, each of which has a key size (56 or 64 bits) that may not be
large enough for some applications.
6.1.1 Encryption Operation
The encryption operation for PBES1 consists of the following steps,
which encrypt a message M under a password P to produce a ciphertext
C:
1. Select an eight-octet salt S and an iteration count c, as
outlined in Section 4.
2. Apply the PBKDF1 key derivation function (Section 5.1) to the
password P, the salt S, and the iteration count c to produce at
derived key DK of length 16 octets:
DK = PBKDF1 (P, S, c, 16) .
3. Separate the derived key DK into an encryption key K consisting
of the first eight octets of DK and an initialization vector IV
consisting of the next eight octets:
K = DK<0..7> ,
IV = DK<8..15> .
4. Concatenate M and a padding string PS to form an encoded
message EM:
EM = M || PS ,
where the padding string PS consists of 8-(||M|| mod 8) octets
each with value 8-(||M|| mod 8). The padding string PS will
satisfy one of the following statements:
PS = 01, if ||M|| mod 8 = 7 ;
PS = 02 02, if ||M|| mod 8 = 6 ;
...
PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.
Kaliski Informational [Page 12]
RFC 2898 Password-Based Cryptography September 2000
The length in octets of the encoded message will be a multiple
of eight and it will be possible to recover the message M
unambiguously from the encoded message. (This padding rule is
taken from RFC 1423 [3].)
5. Encrypt the encoded message EM with the underlying block cipher
(DES or RC2) in cipher block chaining mode under the encryption
key K with initialization vector IV to produce the ciphertext
C. For DES, the key K shall be considered as a 64-bit encoding
of a 56-bit DES key with parity bits ignored (see [9]). For
RC2, the "effective key bits" shall be 64 bits.
6. Output the ciphertext C.
The salt S and the iteration count c may be conveyed to the party
performing decryption in an AlgorithmIdentifier value (see Appendix
A.3).
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?