rfc2898.txt
来自「RFC 的详细文档!」· 文本 代码 · 共 1,738 行 · 第 1/5 页
TXT
1,738 行
protected. If there is concern about interaction between
operations with different key lengths for a given salt (see
Section 4.1), the salt should distinguish among the different key
lengths.
- prf identifies the underlying pseudorandom function. It shall be
an algorithm ID with an OID in the set PBKDF2-PRFs, which for this
version of PKCS #5 shall consist of id-hmacWithSHA1 (see Appendix
B.1.1) and any other OIDs defined by the application.
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::=
{ {NULL IDENTIFIED BY id-hmacWithSHA1}, ... }
The default pseudorandom function is HMAC-SHA-1:
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::=
{algorithm id-hmacWithSHA1, parameters NULL : NULL}
Kaliski Informational [Page 19]
RFC 2898 Password-Based Cryptography September 2000
A.3 PBES1
Different object identifiers identify the PBES1 encryption scheme
(Section 6.1) according to the underlying hash function in the key
derivation function and the underlying block cipher, as summarized in
the following table:
Hash Function Block Cipher OID
MD2 DES pkcs-5.1
MD2 RC2 pkcs-5.4
MD5 DES pkcs-5.3
MD5 RC2 pkcs-5.6
SHA-1 DES pkcs-5.10
SHA-1 RC2 pkcs-5.11
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1}
pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4}
pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3}
pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6}
pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10}
pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
For each OID, the parameters field associated with the OID in an
AlgorithmIdentifier shall have type PBEParameter:
PBEParameter ::= SEQUENCE {
salt OCTET STRING (SIZE(8)),
iterationCount INTEGER }
The fields of type PBEParameter have the following meanings:
- salt specifies the salt value, an eight-octet string.
- iterationCount specifies the iteration count.
A.4 PBES2
The object identifier id-PBES2 identifies the PBES2 encryption scheme
(Section 6.2).
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type PBES2-params:
PBES2-params ::= SEQUENCE {
keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
Kaliski Informational [Page 20]
RFC 2898 Password-Based Cryptography September 2000
The fields of type PBES2-params have the following meanings:
- keyDerivationFunc identifies the underlying key derivation
function. It shall be an algorithm ID with an OID in the set
PBES2-KDFs, which for this version of PKCS #5 shall consist of
id-PBKDF2 (Appendix A.2).
PBES2-KDFs ALGORITHM-IDENTIFIER ::=
{ {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
- encryptionScheme identifies the underlying encryption scheme. It
shall be an algorithm ID with an OID in the set PBES2-Encs, whose
definition is left to the application. Example underlying
encryption schemes are given in Appendix B.2.
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
A.5 PBMAC1
The object identifier id-PBMAC1 identifies the PBMAC1 message
authentication scheme (Section 7.1).
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type PBMAC1-params:
PBMAC1-params ::= SEQUENCE {
keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}},
messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
The keyDerivationFunc field has the same meaning as the corresponding
field of PBES2-params (Appendix A.4) except that the set of OIDs is
PBMAC1-KDFs.
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::=
{ {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
The messageAuthScheme field identifies the underlying message
authentication scheme. It shall be an algorithm ID with an OID in the
set PBMAC1-MACs, whose definition is left to the application. Example
underlying encryption schemes are given in Appendix B.3.
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
Kaliski Informational [Page 21]
RFC 2898 Password-Based Cryptography September 2000
B. Supporting Techniques
This section gives several examples of underlying functions and
schemes supporting the password-based schemes in Sections 5, 6 and 7.
While these supporting techniques are appropriate for applications to
implement, none of them is required to be implemented. It is
expected, however, that profiles for PKCS #5 will be developed that
specify particular supporting techniques.
This section also gives object identifiers for the supporting
techniques. The object identifiers digestAlgorithm and
encryptionAlgorithm identify the arcs from which certain algorithm
OIDs referenced in this section are derived:
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2}
encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
B.1 Pseudorandom functions
An example pseudorandom function for PBKDF2 (Section 5.2) is HMAC-
SHA-1.
B.1.1 HMAC-SHA-1
HMAC-SHA-1 is the pseudorandom function corresponding to the HMAC
message authentication code [7] based on the SHA-1 hash function
[18]. The pseudorandom function is the same function by which the
message authentication code is computed, with a full-length output.
(The first argument to the pseudorandom function PRF serves as HMAC's
"key," and the second serves as HMAC's "text." In the case of PBKDF2,
the "key" is thus the password and the "text" is the salt.) HMAC-
SHA-1 has a variable key length and a 20-octet (160-bit) output
value.
Although the length of the key to HMAC-SHA-1 is essentially
unbounded, the effective search space for pseudorandom function
outputs may be limited by the structure of the function. In
particular, when the key is longer than 512 bits, HMAC-SHA-1 will
first hash it to 160 bits. Thus, even if a long derived key
consisting of several pseudorandom function outputs is produced from
a key, the effective search space for the derived key will be at most
160 bits. Although the specific limitation for other key sizes
depends on details of the HMAC construction, one should assume, to be
conservative, that the effective search space is limited to 160 bits
for other key sizes as well.
Kaliski Informational [Page 22]
RFC 2898 Password-Based Cryptography September 2000
(The 160-bit limitation should not generally pose a practical
limitation in the case of password-based cryptography, since the
search space for a password is unlikely to be greater than 160 bits.)
The object identifier id-hmacWithSHA1 identifies the HMAC-SHA-1
pseudorandom function:
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type NULL. This object identifier is
employed in the object set PBKDF2-PRFs (Appendix A.2).
Note. Although HMAC-SHA-1 was designed as a message authentication
code, its proof of security is readily modified to accommodate
requirements for a pseudorandom function, under stronger assumptions.
A hash function may also meet the requirements of a pseudorandom
function under certain assumptions. For instance, the direct
application of a hash function to to the concatenation of the "key"
and the "text" may be appropriate, provided that "text" has
appropriate structure to prevent certain attacks. HMAC-SHA-1 is
preferable, however, because it treats "key" and "text" as separate
arguments and does not require "text" to have any structure.
B.2 Encryption Schemes
Example pseudorandom functions for PBES2 (Section 6.2) are DES-CBC-
Pad, DES-EDE2-CBC-Pad, RC2-CBC-Pad, and RC5-CBC-Pad.
The object identifiers given in this section are intended to be
employed in the object set PBES2-Encs (Appendix A.4).
B.2.1 DES-CBC-Pad
DES-CBC-Pad is single-key DES [15] in CBC mode [16] with the RFC 1423
padding operation (see Section 6.1.1). DES-CBC-Pad has an eight-octet
encryption key and an eight-octet initialization vector. The key is
considered as a 64-bit encoding of a 56-bit DES key with parity bits
ignored.
The object identifier desCBC (defined in the NIST/OSI Implementors'
Workshop agreements) identifies the DES-CBC-Pad encryption scheme:
desCBC OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) oiw(14) secsig(3)
algorithms(2) 7}
Kaliski Informational [Page 23]
RFC 2898 Password-Based Cryptography September 2000
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
specifying the initialization vector for CBC mode.
B.2.2 DES-EDE3-CBC-Pad
DES-EDE3-CBC-Pad is three-key triple-DES in CBC mode [1] with the RFC
1423 padding operation. DES-EDE3-CBC-Pad has a 24-octet encryption
key and an eight-octet initialization vector. The key is considered
as the concatenation of three eight-octet keys, each of which is a
64-bit encoding of a 56-bit DES key with parity bits ignored.
The object identifier des-EDE3-CBC identifies the DES-EDE3-CBC-Pad
encryption scheme:
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
specifying the initialization vector for CBC mode.
Note. An OID for DES-EDE3-CBC without padding is given in ANSI X9.52
[1]; the one given here is preferred since it specifies padding.
B.2.3 RC2-CBC-Pad
RC2-CBC-Pad is the RC2(tm) encryption algorithm [21] in CBC mode with
the RFC 1423 padding operation. RC2-CBC-Pad has a variable key
length, from one to 128 octets, a separate "effective key bits"
parameter from one to 1024 bits that limits the effective search
space independent of the key length, and an eight-octet
initialization vector.
The object identifier rc2CBC identifies the RC2-CBC-Pad encryption
scheme:
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
The parameters field associated with OID in an AlgorithmIdentifier
shall have type RC2-CBC-Parameter:
RC2-CBC-Parameter ::= SEQUENCE {
rc2ParameterVersion INTEGER OPTIONAL,
iv OCTET STRING (SIZE(8)) }
Kaliski Informational [Page 24]
RFC 2898 Password-Based Cryptography September 2000
The fields of type RC2-CBCParameter have the following meanings:
- rc2ParameterVersion is a proprietary RSA Security Inc. encoding of
the "effective key bits" for RC2. The following encodings are
defined:
Effective Key Bits Encoding
40 160
64 120
128 58
b >= 256 b
If the rc2ParameterVersion field is omitted, the "effective key bits"
defaults to 32. (This is for backward compatibility with certain very
old implementations.)
- iv is the eight-octet initialization vector.
B.2.4 RC5-CBC-Pad
RC5-CBC-Pad is the RC5(tm) encryption algorithm [20] in CBC mode with
a generalization of the RFC 1423 padding operation. This scheme is
fully specified in [2]. RC5-CBC-Pad has a variable key length, from 0
to 256 octets, and supports both a 64-bit block size and a 128-bit
block size. For the former, it has an eight-octet initialization
vector, and for the latter, a 16-octet initialization vector.
RC5-CBC-Pad also has a variable number of "rounds" in the encryption
operation, from 8 to 127.
Note: The generalization of the padding operation is as follows. For
RC5 with a 64-bit block size, the padding string is as defined in RFC
1423. For RC5 with a 128-bit block size, the padding string consists
of 16-(||M|| mod 16) octets each with value 16-(||M|| mod 16).
The object identifier rc5-CBC-PAD [2] identifies RC5-CBC-Pad
encryption scheme:
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type RC5-CBC-Parameters:
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?