rfc-2898.txt

keyring是一种用于保护PALM中关键信息的系统

   is for encryption, for message authentication, or for some other
   operation.

   Based on this, the following is recommended for salt selection:

      1. If there is no concern about interactions between multiple uses
         of the same key (or a prefix of that key) with the password-
         based encryption and authentication techniques supported for a
         given password, then the salt may be generated at random and
         need not be checked for a particular format by the party
         receiving the salt. It should be at least eight octets (64
         bits) long.

      2. Otherwise, the salt should contain data that explicitly
         distinguishes between different operations and different key
         lengths, in addition to a random part that is at least eight
         octets long, and this data should be checked or regenerated by
         the party receiving the salt. For instance, the salt could have
         an additional non-random octet that specifies the purpose of
         the derived key. Alternatively, it could be the encoding of a
         structure that specifies detailed information about the derived
         key, such as the encryption or authentication technique and a
         sequence number among the different keys derived from the
         password.  The particular format of the additional data is left
         to the application.

   Note. If a random number generator or pseudorandom generator is not
   available, a deterministic alternative for generating the salt (or
   the random part of it) is to apply a password-based key derivation
   function to the password and the message M to be processed. For
   instance, the salt could be computed with a key derivation function
   as S = KDF (P, M). This approach is not recommended if the message M




Kaliski                      Informational                      [Page 7]

RFC 2898              Password-Based Cryptography         September 2000


   is known to belong to a small message space (e.g., "Yes" or "No"),
   however, since then there will only be a small number of possible
   salts.

4.2 Iteration Count

   An iteration count has traditionally served the purpose of increasing
   the cost of producing keys from a password, thereby also increasing
   the difficulty of attack. For the methods in this document, a minimum
   of 1000 iterations is recommended. This will increase the cost of
   exhaustive search for passwords significantly, without a noticeable
   impact in the cost of deriving individual keys.

5. Key Derivation Functions

   A key derivation function produces a derived key from a base key and
   other parameters. In a password-based key derivation function, the
   base key is a password and the other parameters are a salt value and
   an iteration count, as outlined in Section 3.

   The primary application of the password-based key derivation
   functions defined here is in the encryption schemes in Section 6 and
   the message authentication scheme in Section 7. Other applications
   are certainly possible, hence the independent definition of these
   functions.

   Two functions are specified in this section: PBKDF1 and PBKDF2.
   PBKDF2 is recommended for new applications; PBKDF1 is included only
   for compatibility with existing applications, and is not recommended
   for new applications.

   A typical application of the key derivation functions defined here
   might include the following steps:

      1. Select a salt S and an iteration count c, as outlined in
         Section 4.

      2. Select a length in octets for the derived key, dkLen.

      3. Apply the key derivation function to the password, the salt,
         the iteration count and the key length to produce a derived
         key.

      4. Output the derived key.

   Any number of keys may be derived from a password by varying the
   salt, as described in Section 3.




Kaliski                      Informational                      [Page 8]

RFC 2898              Password-Based Cryptography         September 2000


5.1 PBKDF1

   PBKDF1 applies a hash function, which shall be MD2 [6], MD5 [19] or
   SHA-1 [18], to derive keys. The length of the derived key is bounded
   by the length of the hash function output, which is 16 octets for MD2
   and MD5 and 20 octets for SHA-1. PBKDF1 is compatible with the key
   derivation process in PKCS #5 v1.5.

   PBKDF1 is recommended only for compatibility with existing
   applications since the keys it produces may not be large enough for
   some applications.

   PBKDF1 (P, S, c, dkLen)

   Options:        Hash       underlying hash function

   Input:          P          password, an octet string
                   S          salt, an eight-octet string
                   c          iteration count, a positive integer
                   dkLen      intended length in octets of derived key,
                              a positive integer, at most 16 for MD2 or
                              MD5 and 20 for SHA-1

   Output:         DK         derived key, a dkLen-octet string

   Steps:

      1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output
         "derived key too long" and stop.

      2. Apply the underlying hash function Hash for c iterations to the
         concatenation of the password P and the salt S, then extract
         the first dkLen octets to produce a derived key DK:

                   T_1 = Hash (P || S) ,
                   T_2 = Hash (T_1) ,
                   ...
                   T_c = Hash (T_{c-1}) ,
                   DK = Tc<0..dkLen-1>

      3. Output the derived key DK.

5.2 PBKDF2

   PBKDF2 applies a pseudorandom function (see Appendix B.1 for an
   example) to derive keys. The length of the derived key is essentially
   unbounded. (However, the maximum effective search space for the




Kaliski                      Informational                      [Page 9]

RFC 2898              Password-Based Cryptography         September 2000


   derived key may be limited by the structure of the underlying
   pseudorandom function. See Appendix B.1 for further discussion.)
   PBKDF2 is recommended for new applications.

   PBKDF2 (P, S, c, dkLen)

   Options:        PRF        underlying pseudorandom function (hLen
                              denotes the length in octets of the
                              pseudorandom function output)

   Input:          P          password, an octet string
                   S          salt, an octet string
                   c          iteration count, a positive integer
                   dkLen      intended length in octets of the derived
                              key, a positive integer, at most
                              (2^32 - 1) * hLen

   Output:         DK         derived key, a dkLen-octet string

   Steps:

      1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and
         stop.

      2. Let l be the number of hLen-octet blocks in the derived key,
         rounding up, and let r be the number of octets in the last
         block:

                   l = CEIL (dkLen / hLen) ,
                   r = dkLen - (l - 1) * hLen .

         Here, CEIL (x) is the "ceiling" function, i.e. the smallest
         integer greater than, or equal to, x.

      3. For each block of the derived key apply the function F defined
         below to the password P, the salt S, the iteration count c, and
         the block index to compute the block:

                   T_1 = F (P, S, c, 1) ,
                   T_2 = F (P, S, c, 2) ,
                   ...
                   T_l = F (P, S, c, l) ,

         where the function F is defined as the exclusive-or sum of the
         first c iterates of the underlying pseudorandom function PRF
         applied to the password P and the concatenation of the salt S
         and the block index i:




Kaliski                      Informational                     [Page 10]

RFC 2898              Password-Based Cryptography         September 2000


                   F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c

         where

                   U_1 = PRF (P, S || INT (i)) ,
                   U_2 = PRF (P, U_1) ,
                   ...
                   U_c = PRF (P, U_{c-1}) .

         Here, INT (i) is a four-octet encoding of the integer i, most
         significant octet first.

      4. Concatenate the blocks and extract the first dkLen octets to
         produce a derived key DK:

                   DK = T_1 || T_2 ||  ...  || T_l<0..r-1>

      5. Output the derived key DK.

   Note. The construction of the function F follows a "belt-and-
   suspenders" approach. The iterates U_i are computed recursively to
   remove a degree of parallelism from an opponent; they are exclusive-
   ored together to reduce concerns about the recursion degenerating
   into a small set of values.

6. Encryption Schemes

   An encryption scheme, in the symmetric setting, consists of an
   encryption operation and a decryption operation, where the encryption
   operation produces a ciphertext from a message under a key, and the
   decryption operation recovers the message from the ciphertext under
   the same key. In a password-based encryption scheme, the key is a
   password.

   A typical application of a password-based encryption scheme is a
   private-key protection method, where the message contains private-key
   information, as in PKCS #8. The encryption schemes defined here would
   be suitable encryption algorithms in that context.

   Two schemes are specified in this section: PBES1 and PBES2. PBES2 is
   recommended for new applications; PBES1 is included only for
   compatibility with existing applications, and is not recommended for
   new applications.








Kaliski                      Informational                     [Page 11]

RFC 2898              Password-Based Cryptography         September 2000


6.1   PBES1

   PBES1 combines the PBKDF1 function (Section 5.1) with an underlying
   block cipher, which shall be either DES [15] or RC2(tm) [21] in CBC
   mode [16]. PBES1 is compatible with the encryption scheme in PKCS #5
   v1.5.

   PBES1 is recommended only for compatibility with existing
   applications, since it supports only two underlying encryption
   schemes, each of which has a key size (56 or 64 bits) that may not be
   large enough for some applications.

6.1.1   Encryption Operation

   The encryption operation for PBES1 consists of the following steps,
   which encrypt a message M under a password P to produce a ciphertext
   C:

      1. Select an eight-octet salt S and an iteration count c, as
         outlined in Section 4.

      2. Apply the PBKDF1 key derivation function (Section 5.1) to the
         password P, the salt S, and the iteration count c to produce at
         derived key DK of length 16 octets:

                 DK = PBKDF1 (P, S, c, 16) .

      3. Separate the derived key DK into an encryption key K consisting
         of the first eight octets of DK and an initialization vector IV
         consisting of the next eight octets:

                 K   = DK<0..7> ,
                 IV  = DK<8..15> .

      4. Concatenate M and a padding string PS to form an encoded
         message EM:

                 EM = M || PS ,

         where the padding string PS consists of 8-(||M|| mod 8) octets
         each with value 8-(||M|| mod 8). The padding string PS will
         satisfy one of the following statements:

                 PS = 01, if ||M|| mod 8 = 7 ;
                 PS = 02 02, if ||M|| mod 8 = 6 ;
                 ...
                 PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.




Kaliski                      Informational                     [Page 12]

RFC 2898              Password-Based Cryptography         September 2000


         The length in octets of the encoded message will be a multiple
         of eight and it will be possible to recover the message M
         unambiguously from the encoded message. (This padding rule is
         taken from RFC 1423 [3].)

      5. Encrypt the encoded message EM with the underlying block cipher
         (DES or RC2) in cipher block chaining mode under the encryption
         key K with initialization vector IV to produce the ciphertext
         C. For DES, the key K shall be considered as a 64-bit encoding
         of a 56-bit DES key with parity bits ignored (see [9]). For
         RC2, the "effective key bits" shall be 64 bits.

      6.   Output the ciphertext C.

   The salt S and the iteration count c may be conveyed to the party
   performing decryption in an AlgorithmIdentifier value (see Appendix
   A.3).

6.1.2 Decryption Operation

   The decryption operation for PBES1 consists of the following steps,
   which decrypt a ciphertext C under a password P to recover a message
   M:

      1. Obtain the eight-octet salt S and the iteration count c.

      2. Apply the PBKDF1 key derivation function (Section 5.1) to the
         password P, the salt S, and the iteration count c to produce a
         derived key DK of length 16 octets:

                 DK = PBKDF1 (P, S, c, 16)

      3. Separate the derived key DK into an encryption key K consisting
         of the first eight octets of DK and an initialization vector IV
         consisting of the next eight octets: