rfc2898.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,738 行 · 第 1/5 页
TXT
1,738 行
6.1.2 Decryption Operation
The decryption operation for PBES1 consists of the following steps,
which decrypt a ciphertext C under a password P to recover a message
M:
1. Obtain the eight-octet salt S and the iteration count c.
2. Apply the PBKDF1 key derivation function (Section 5.1) to the
password P, the salt S, and the iteration count c to produce a
derived key DK of length 16 octets:
DK = PBKDF1 (P, S, c, 16)
3. Separate the derived key DK into an encryption key K consisting
of the first eight octets of DK and an initialization vector IV
consisting of the next eight octets:
K = DK<0..7> ,
IV = DK<8..15> .
4. Decrypt the ciphertext C with the underlying block cipher (DES
or RC2) in cipher block chaining mode under the encryption key
K with initialization vector IV to recover an encoded message
EM. If the length in octets of the ciphertext C is not a
multiple of eight, output "decryption error" and stop.
5. Separate the encoded message EM into a message M and a padding
string PS:
Kaliski Informational [Page 13]
RFC 2898 Password-Based Cryptography September 2000
EM = M || PS ,
where the padding string PS consists of some number psLen
octets each with value psLen, where psLen is between 1 and 8.
If it is not possible to separate the encoded message EM in
this manner, output "decryption error" and stop.
6. Output the recovered message M.
6.2 PBES2
PBES2 combines a password-based key derivation function, which shall
be PBKDF2 (Section 5.2) for this version of PKCS #5, with an
underlying encryption scheme (see Appendix B.2 for examples). The key
length and any other parameters for the underlying encryption scheme
depend on the scheme.
PBES2 is recommended for new applications.
6.2.1 Encryption Operation
The encryption operation for PBES2 consists of the following steps,
which encrypt a message M under a password P to produce a ciphertext
C, applying a selected key derivation function KDF and a selected
underlying encryption scheme:
1. Select a salt S and an iteration count c, as outlined in
Section 4.
2. Select the length in octets, dkLen, for the derived key for the
underlying encryption scheme.
3. Apply the selected key derivation function to the password P,
the salt S, and the iteration count c to produce a derived key
DK of length dkLen octets:
DK = KDF (P, S, c, dkLen) .
4. Encrypt the message M with the underlying encryption scheme
under the derived key DK to produce a ciphertext C. (This step
may involve selection of parameters such as an initialization
vector and padding, depending on the underlying scheme.)
5. Output the ciphertext C.
Kaliski Informational [Page 14]
RFC 2898 Password-Based Cryptography September 2000
The salt S, the iteration count c, the key length dkLen, and
identifiers for the key derivation function and the underlying
encryption scheme may be conveyed to the party performing decryption
in an AlgorithmIdentifier value (see Appendix A.4).
6.2.2 Decryption Operation
The decryption operation for PBES2 consists of the following steps,
which decrypt a ciphertext C under a password P to recover a message
M:
1. Obtain the salt S for the operation.
2. Obtain the iteration count c for the key derivation function.
3. Obtain the key length in octets, dkLen, for the derived key for
the underlying encryption scheme.
4. Apply the selected key derivation function to the password P,
the salt S, and the iteration count c to produce a derived key
DK of length dkLen octets:
DK = KDF (P, S, c, dkLen) .
5. Decrypt the ciphertext C with the underlying encryption scheme
under the derived key DK to recover a message M. If the
decryption function outputs "decryption error," then output
"decryption error" and stop.
6. Output the recovered message M.
7. Message Authentication Schemes
A message authentication scheme consists of a MAC (message
authentication code) generation operation and a MAC verification
operation, where the MAC generation operation produces a message
authentication code from a message under a key, and the MAC
verification operation verifies the message authentication code under
the same key. In a password-based message authentication scheme, the
key is a password.
One scheme is specified in this section: PBMAC1.
Kaliski Informational [Page 15]
RFC 2898 Password-Based Cryptography September 2000
7.1 PBMAC1
PBMAC1 combines a password-based key derivation function, which shall
be PBKDF2 (Section 5.2) for this version of PKCS #5, with an
underlying message authentication scheme (see Appendix B.3 for an
example). The key length and any other parameters for the underlying
message authentication scheme depend on the scheme.
7.1.1 MAC Generation
The MAC generation operation for PBMAC1 consists of the following
steps, which process a message M under a password P to generate a
message authentication code T, applying a selected key derivation
function KDF and a selected underlying message authentication scheme:
1. Select a salt S and an iteration count c, as outlined in
Section 4.
2. Select a key length in octets, dkLen, for the derived key for
the underlying message authentication function.
3. Apply the selected key derivation function to the password P,
the salt S, and the iteration count c to produce a derived key
DK of length dkLen octets:
DK = KDF (P, S, c, dkLen) .
4. Process the message M with the underlying message
authentication scheme under the derived key DK to generate a
message authentication code T.
5. Output the message authentication code T.
The salt S, the iteration count c, the key length dkLen, and
identifiers for the key derivation function and underlying message
authentication scheme may be conveyed to the party performing
verification in an AlgorithmIdentifier value (see Appendix A.5).
7.1.2 MAC Verification
The MAC verification operation for PBMAC1 consists of the following
steps, which process a message M under a password P to verify a
message authentication code T:
1. Obtain the salt S and the iteration count c.
2. Obtain the key length in octets, dkLen, for the derived key for
the underlying message authentication scheme.
Kaliski Informational [Page 16]
RFC 2898 Password-Based Cryptography September 2000
3. Apply the selected key derivation function to the password P,
the salt S, and the iteration count c to produce a derived key
DK of length dkLen octets:
DK = KDF (P, S, c, dkLen) .
4. Process the message M with the underlying message
authentication scheme under the derived key DK to verify the
message authentication code T.
5. If the message authentication code verifies, output "correct";
else output "incorrect."
8. Security Considerations
Password-based cryptography is generally limited in the security that
it can provide, particularly for methods such as those defined in
this document where off-line password search is possible. While the
use of salt and iteration count can increase the complexity of attack
(see Section 4 for recommendations), it is essential that passwords
are selected well, and relevant guidelines (e.g., [17]) should be
taken into account. It is also important that passwords be protected
well if stored.
In general, different keys should be derived from a password for
different uses to minimize the possibility of unintended
interactions. For password-based encryption with a single algorithm,
a random salt is sufficient to ensure that different keys will be
produced. In certain other situations, as outlined in Section 4, a
structured salt is necessary. The recommendations in Section 4 should
thus be taken into account when selecting the salt value.
9. Author's Address
Burt Kaliski
RSA Laboratories
20 Crosby Drive
Bedford, MA 01730 USA
EMail: bkaliski@rsasecurity.com
Kaliski Informational [Page 17]
RFC 2898 Password-Based Cryptography September 2000
APPENDICES
A. ASN.1 Syntax
This section defines ASN.1 syntax for the key derivation functions,
the encryption schemes, the message authentication scheme, and
supporting techniques. The intended application of these definitions
includes PKCS #8 and other syntax for key management, encrypted data,
and integrity-protected data. (Various aspects of ASN.1 are specified
in several ISO/IEC standards [9][10][11][12][13][14].)
The object identifier pkcs-5 identifies the arc of the OID tree from
which the PKCS #5-specific OIDs in this section are derived:
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549}
pkcs OBJECT IDENTIFIER ::= {rsadsi 1}
pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
A.1 PBKDF1
No object identifier is given for PBKDF1, as the object identifiers
for PBES1 are sufficient for existing applications and PBKDF2 is
recommended for new applications.
A.2 PBKDF2
The object identifier id-PBKDF2 identifies the PBKDF2 key derivation
function (Section 5.2).
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type PBKDF2-params:
PBKDF2-params ::= SEQUENCE {
salt CHOICE {
specified OCTET STRING,
otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
},
iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL,
prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
algid-hmacWithSHA1 }
The fields of type PKDF2-params have the following meanings:
Kaliski Informational [Page 18]
RFC 2898 Password-Based Cryptography September 2000
- salt specifies the salt value, or the source of the salt value.
It shall either be an octet string or an algorithm ID with an OID
in the set PBKDF2-SaltSources, which is reserved for future
versions of PKCS #5.
The salt-source approach is intended to indicate how the salt
value is to be generated as a function of parameters in the
algorithm ID, application data, or both. For instance, it may
indicate that the salt value is produced from the encoding of a
structure that specifies detailed information about the derived
key as suggested in Section 4.1. Some of the information may be
carried elsewhere, e.g., in the encryption algorithm ID. However,
such facilities are deferred to a future version of PKCS #5.
In this version, an application may achieve the benefits mentioned
in Section 4.1 by choosing a particular interpretation of the salt
value in the specified alternative.
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
- iterationCount specifies the iteration count. The maximum
iteration count allowed depends on the implementation. It is
expected that implementation profiles may further constrain the
bounds.
- keyLength, an optional field, is the length in octets of the
derived key. The maximum key length allowed depends on the
implementation; it is expected that implementation profiles may
further constrain the bounds. The field is provided for
convenience only; the key length is not cryptographically
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?