rfc-2898.txt

keyring是一种用于保护PALM中关键信息的系统

                 K = DK<0..7> ,
                 IV  = DK<8..15> .

      4. Decrypt the ciphertext C with the underlying block cipher (DES
         or RC2) in cipher block chaining mode under the encryption key
         K with initialization vector IV to recover an encoded message
         EM. If the length in octets of the ciphertext C is not a
         multiple of eight, output "decryption error" and stop.

      5. Separate the encoded message EM into a message M and a padding
         string PS:




Kaliski                      Informational                     [Page 13]

RFC 2898              Password-Based Cryptography         September 2000


                 EM = M || PS ,

         where the padding string PS consists of some number psLen
         octets each with value psLen, where psLen is between 1 and 8.
         If it is not possible to separate the encoded message EM in
         this manner, output "decryption error" and stop.

      6. Output the recovered message M.

6.2 PBES2

   PBES2 combines a password-based key derivation function, which shall
   be PBKDF2 (Section 5.2) for this version of PKCS #5, with an
   underlying encryption scheme (see Appendix B.2 for examples). The key
   length and any other parameters for the underlying encryption scheme
   depend on the scheme.

   PBES2 is recommended for new applications.

6.2.1   Encryption Operation

   The encryption operation for PBES2 consists of the following steps,
   which encrypt a message M under a password P to produce a ciphertext
   C, applying a selected key derivation function KDF and a selected
   underlying encryption scheme:

      1. Select a salt S and an iteration count c, as outlined in
         Section 4.

      2. Select the length in octets, dkLen, for the derived key for the
         underlying encryption scheme.

      3. Apply the selected key derivation function to the password P,
         the salt S, and the iteration count c to produce a derived key
         DK of length dkLen octets:

                 DK = KDF (P, S, c, dkLen) .

      4. Encrypt the message M with the underlying encryption scheme
         under the derived key DK to produce a ciphertext C. (This step
         may involve selection of parameters such as an initialization
         vector and padding, depending on the underlying scheme.)

      5. Output the ciphertext C.







Kaliski                      Informational                     [Page 14]

RFC 2898              Password-Based Cryptography         September 2000


   The salt S, the iteration count c, the key length dkLen, and
   identifiers for the key derivation function and the underlying
   encryption scheme may be conveyed to the party performing decryption
   in an AlgorithmIdentifier value (see Appendix A.4).

6.2.2   Decryption Operation

   The decryption operation for PBES2 consists of the following steps,
   which decrypt a ciphertext C under a password P to recover a message
   M:

      1. Obtain the salt S for the operation.

      2. Obtain the iteration count c for the key derivation function.

      3. Obtain the key length in octets, dkLen, for the derived key for
         the underlying encryption scheme.

      4. Apply the selected key derivation function to the password P,
         the salt S, and the iteration count c to produce a derived key
         DK of length dkLen octets:

                 DK = KDF (P, S, c, dkLen) .

      5. Decrypt the ciphertext C with the underlying encryption scheme
         under the derived key DK to recover a message M. If the
         decryption function outputs "decryption error," then output
         "decryption error" and stop.

      6. Output the recovered message M.

7. Message Authentication Schemes

   A message authentication scheme consists of a MAC (message
   authentication code) generation operation and a MAC verification
   operation, where the MAC generation operation produces a message
   authentication code from a message under a key, and the MAC
   verification operation verifies the message authentication code under
   the same key. In a password-based message authentication scheme, the
   key is a password.

   One scheme is specified in this section: PBMAC1.









Kaliski                      Informational                     [Page 15]

RFC 2898              Password-Based Cryptography         September 2000


7.1 PBMAC1

   PBMAC1 combines a password-based key derivation function, which shall
   be PBKDF2  (Section 5.2) for this version of PKCS #5, with an
   underlying message authentication scheme (see Appendix B.3 for an
   example). The key length and any other parameters for the underlying
   message authentication scheme depend on the scheme.

7.1.1 MAC Generation

   The MAC generation operation for PBMAC1 consists of the following
   steps, which process a message M under a password P to generate a
   message authentication code T, applying a selected key derivation
   function KDF and a selected underlying message authentication scheme:

      1. Select a salt S and an iteration count c, as outlined in
         Section 4.

      2. Select a key length in octets, dkLen, for the derived key for
         the underlying message authentication function.

      3. Apply the selected key derivation function to the password P,
         the salt S, and the iteration count c to produce a derived key
         DK of length dkLen octets:

                 DK = KDF (P, S, c, dkLen) .

      4. Process the message M with the underlying message
         authentication scheme under the derived key DK to generate a
         message authentication code T.

      5. Output the message authentication code T.

   The salt S, the iteration count c, the key length dkLen, and
   identifiers for the key derivation function and underlying message
   authentication scheme may be conveyed to the party performing
   verification in an AlgorithmIdentifier value (see Appendix A.5).

7.1.2   MAC Verification

   The MAC verification operation for PBMAC1 consists of the following
   steps, which process a message M under a password P to verify a
   message authentication code T:

      1. Obtain the salt S and the iteration count c.

      2. Obtain the key length in octets, dkLen, for the derived key for
         the underlying message authentication scheme.



Kaliski                      Informational                     [Page 16]

RFC 2898              Password-Based Cryptography         September 2000


      3. Apply the selected key derivation function to the password P,
         the salt S, and the iteration count c to produce a derived key
         DK of length dkLen octets:

                 DK = KDF (P, S, c, dkLen) .

      4. Process the message M with the underlying message
         authentication scheme under the derived key DK to verify the
         message authentication code T.

      5. If the message authentication code verifies, output "correct";
         else output "incorrect."

8. Security Considerations

   Password-based cryptography is generally limited in the security that
   it can provide, particularly for methods such as those defined in
   this document where off-line password search is possible. While the
   use of salt and iteration count can increase the complexity of attack
   (see Section 4 for recommendations), it is essential that passwords
   are selected well, and relevant guidelines (e.g., [17]) should be
   taken into account. It is also important that passwords be protected
   well if stored.

   In general, different keys should be derived from a password for
   different uses to minimize the possibility of unintended
   interactions. For password-based encryption with a single algorithm,
   a random salt is sufficient to ensure that different keys will be
   produced. In certain other situations, as outlined in Section 4, a
   structured salt is necessary. The recommendations in Section 4 should
   thus be taken into account when selecting the salt value.

9. Author's Address

   Burt Kaliski
   RSA Laboratories
   20 Crosby Drive
   Bedford, MA 01730 USA

   EMail: bkaliski@rsasecurity.com











Kaliski                      Informational                     [Page 17]

RFC 2898              Password-Based Cryptography         September 2000


APPENDICES

A. ASN.1 Syntax

   This section defines ASN.1 syntax for the key derivation functions,
   the encryption schemes, the message authentication scheme, and
   supporting techniques. The intended application of these definitions
   includes PKCS #8 and other syntax for key management, encrypted data,
   and integrity-protected data. (Various aspects of ASN.1 are specified
   in several ISO/IEC standards [9][10][11][12][13][14].)

   The object identifier pkcs-5 identifies the arc of the OID tree from
   which the PKCS #5-specific OIDs in this section are derived:

   rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549}
   pkcs OBJECT IDENTIFIER   ::= {rsadsi 1}
   pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}

A.1   PBKDF1

   No object identifier is given for PBKDF1, as the object identifiers
   for PBES1 are sufficient for existing applications and PBKDF2 is
   recommended for new applications.

A.2   PBKDF2

   The object identifier id-PBKDF2 identifies the PBKDF2 key derivation
   function (Section 5.2).

   id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}

   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type PBKDF2-params:

   PBKDF2-params ::= SEQUENCE {
       salt CHOICE {
           specified OCTET STRING,
           otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
       },
       iterationCount INTEGER (1..MAX),
       keyLength INTEGER (1..MAX) OPTIONAL,
       prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT
       algid-hmacWithSHA1 }

   The fields of type PKDF2-params have the following meanings:






Kaliski                      Informational                     [Page 18]

RFC 2898              Password-Based Cryptography         September 2000


   -  salt specifies the salt value, or the source of the salt value.
      It shall either be an octet string or an algorithm ID with an OID
      in the set PBKDF2-SaltSources, which is reserved for future
      versions of PKCS #5.

      The salt-source approach is intended to indicate how the salt
      value is to be generated as a function of parameters in the
      algorithm ID, application data, or both. For instance, it may
      indicate that the salt value is produced from the encoding of a
      structure that specifies detailed information about the derived
      key as suggested in Section 4.1. Some of the information may be
      carried elsewhere, e.g., in the encryption algorithm ID. However,
      such facilities are deferred to a future version of PKCS #5.

      In this version, an application may achieve the benefits mentioned
      in Section 4.1 by choosing a particular interpretation of the salt
      value in the specified alternative.

   PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }

   -  iterationCount specifies the iteration count. The maximum
      iteration count allowed depends on the implementation. It is
      expected that implementation profiles may further constrain the
      bounds.

   -  keyLength, an optional field, is the length in octets of the
      derived key. The maximum key length allowed depends on the
      implementation; it is expected that implementation profiles may
      further constrain the bounds. The field is provided for
      convenience only; the key length is not cryptographically
      protected. If there is concern about interaction between
      operations with different key lengths for a given salt (see
      Section 4.1), the salt should distinguish among the different key
      lengths.

   -  prf identifies the underlying pseudorandom function. It shall be
      an algorithm ID with an OID in the set PBKDF2-PRFs, which for this
      version of PKCS #5 shall consist of id-hmacWithSHA1 (see Appendix
      B.1.1) and any other OIDs defined by the application.

      PBKDF2-PRFs ALGORITHM-IDENTIFIER ::=
          { {NULL IDENTIFIED BY id-hmacWithSHA1}, ... }

      The default pseudorandom function is HMAC-SHA-1:

      algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::=
          {algorithm id-hmacWithSHA1, parameters NULL : NULL}




Kaliski                      Informational                     [Page 19]

RFC 2898              Password-Based Cryptography         September 2000


A.3 PBES1