rfc-2898.txt

keyring是一种用于保护PALM中关键信息的系统

   Different object identifiers identify the PBES1 encryption scheme
   (Section 6.1) according to the underlying hash function in the key
   derivation function and the underlying block cipher, as summarized in
   the following table:

        Hash Function  Block Cipher      OID
             MD2           DES         pkcs-5.1
             MD2           RC2         pkcs-5.4
             MD5           DES         pkcs-5.3
             MD5           RC2         pkcs-5.6
            SHA-1          DES         pkcs-5.10
            SHA-1          RC2         pkcs-5.11

   pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1}
   pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4}
   pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3}
   pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6}
   pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10}
   pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}

   For each OID, the parameters field associated with the OID in an
   AlgorithmIdentifier shall have type PBEParameter:

   PBEParameter ::= SEQUENCE {
       salt OCTET STRING (SIZE(8)),
       iterationCount INTEGER }

   The fields of type PBEParameter have the following meanings:

   -  salt specifies the salt value, an eight-octet string.

   -  iterationCount specifies the iteration count.

A.4 PBES2

   The object identifier id-PBES2 identifies the PBES2 encryption scheme
   (Section 6.2).

   id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}

   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type PBES2-params:

   PBES2-params ::= SEQUENCE {
       keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
       encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }



Kaliski                      Informational                     [Page 20]

RFC 2898              Password-Based Cryptography         September 2000


   The fields of type PBES2-params have the following meanings:

   -  keyDerivationFunc identifies the underlying key derivation
      function. It shall be an algorithm ID with an OID in the set
      PBES2-KDFs, which for this version of PKCS #5 shall consist of
      id-PBKDF2 (Appendix A.2).

   PBES2-KDFs ALGORITHM-IDENTIFIER ::=
       { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }

   -  encryptionScheme identifies the underlying encryption scheme. It
      shall be an algorithm ID with an OID in the set PBES2-Encs, whose
      definition is left to the application. Example underlying
      encryption schemes are given in Appendix B.2.

   PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }

A.5 PBMAC1

   The object identifier id-PBMAC1 identifies the PBMAC1 message
   authentication scheme (Section 7.1).

   id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}

   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type PBMAC1-params:

   PBMAC1-params ::=  SEQUENCE {
       keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}},
       messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }

   The keyDerivationFunc field has the same meaning as the corresponding
   field of PBES2-params (Appendix A.4) except that the set of OIDs is
   PBMAC1-KDFs.

   PBMAC1-KDFs ALGORITHM-IDENTIFIER ::=
       { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }

   The messageAuthScheme field identifies the underlying message
   authentication scheme. It shall be an algorithm ID with an OID in the
   set PBMAC1-MACs, whose definition is left to the application. Example
   underlying encryption schemes are given in Appendix B.3.

   PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }







Kaliski                      Informational                     [Page 21]

RFC 2898              Password-Based Cryptography         September 2000


B. Supporting Techniques

   This section gives several examples of underlying functions and
   schemes supporting the password-based schemes in Sections 5, 6 and 7.

   While these supporting techniques are appropriate for applications to
   implement, none of them is required to be implemented. It is
   expected, however, that profiles for PKCS #5 will be developed that
   specify particular supporting techniques.

   This section also gives object identifiers for the supporting
   techniques.  The object identifiers digestAlgorithm and
   encryptionAlgorithm identify the arcs from which certain algorithm
   OIDs referenced in this section are derived:

   digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2}
   encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}

B.1 Pseudorandom functions

   An example pseudorandom function for PBKDF2 (Section 5.2) is HMAC-
   SHA-1.

B.1.1 HMAC-SHA-1

   HMAC-SHA-1 is the pseudorandom function corresponding to the HMAC
   message authentication code [7] based on the SHA-1 hash function
   [18].  The pseudorandom function is the same function by which the
   message authentication code is computed, with a full-length output.
   (The first argument to the pseudorandom function PRF serves as HMAC's
   "key," and the second serves as HMAC's "text." In the case of PBKDF2,
   the "key" is thus the password and the "text" is the salt.)  HMAC-
   SHA-1 has a variable key length and a 20-octet (160-bit) output
   value.

   Although the length of the key to HMAC-SHA-1 is essentially
   unbounded, the effective search space for pseudorandom function
   outputs may be limited by the structure of the function. In
   particular, when the key is longer than 512 bits, HMAC-SHA-1 will
   first hash it to 160 bits. Thus, even if a long derived key
   consisting of several pseudorandom function outputs is produced from
   a key, the effective search space for the derived key will be at most
   160 bits. Although the specific limitation for other key sizes
   depends on details of the HMAC construction, one should assume, to be
   conservative, that the effective search space is limited to 160 bits
   for other key sizes as well.





Kaliski                      Informational                     [Page 22]

RFC 2898              Password-Based Cryptography         September 2000


   (The 160-bit limitation should not generally pose a practical
   limitation in the case of password-based cryptography, since the
   search space for a password is unlikely to be greater than 160 bits.)

   The object identifier id-hmacWithSHA1 identifies the HMAC-SHA-1
   pseudorandom function:

   id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}

   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type NULL. This object identifier is
   employed in the object set PBKDF2-PRFs (Appendix A.2).

   Note. Although HMAC-SHA-1 was designed as a message authentication
   code, its proof of security is readily modified to accommodate
   requirements for a pseudorandom function, under stronger assumptions.

   A hash function may also meet the requirements of a pseudorandom
   function under certain assumptions. For instance, the direct
   application of a hash function to to the concatenation of the "key"
   and the "text" may be appropriate, provided that "text" has
   appropriate structure to prevent certain attacks. HMAC-SHA-1 is
   preferable, however, because it treats "key" and "text" as separate
   arguments and does not require "text" to have any structure.

B.2 Encryption Schemes

   Example pseudorandom functions for PBES2 (Section 6.2) are DES-CBC-
   Pad, DES-EDE2-CBC-Pad, RC2-CBC-Pad, and RC5-CBC-Pad.

   The object identifiers given in this section are intended to be
   employed in the object set PBES2-Encs (Appendix A.4).

B.2.1 DES-CBC-Pad

   DES-CBC-Pad is single-key DES [15] in CBC mode [16] with the RFC 1423
   padding operation (see Section 6.1.1). DES-CBC-Pad has an eight-octet
   encryption key and an eight-octet initialization vector.  The key is
   considered as a 64-bit encoding of a 56-bit DES key with parity bits
   ignored.

   The object identifier desCBC (defined in the NIST/OSI Implementors'
   Workshop agreements) identifies the DES-CBC-Pad encryption scheme:

   desCBC OBJECT IDENTIFIER ::=
       {iso(1) identified-organization(3) oiw(14) secsig(3)
        algorithms(2) 7}




Kaliski                      Informational                     [Page 23]

RFC 2898              Password-Based Cryptography         September 2000


   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
   specifying the initialization vector for CBC mode.

B.2.2 DES-EDE3-CBC-Pad

   DES-EDE3-CBC-Pad is three-key triple-DES in CBC mode [1] with the RFC
   1423 padding operation. DES-EDE3-CBC-Pad has a 24-octet encryption
   key and an eight-octet initialization vector. The key is considered
   as the concatenation of three eight-octet keys, each of which is a
   64-bit encoding of a 56-bit DES key with parity bits ignored.

   The object identifier des-EDE3-CBC identifies the DES-EDE3-CBC-Pad
   encryption scheme:

   des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}

   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)),
   specifying the initialization vector for CBC mode.

   Note. An OID for DES-EDE3-CBC without padding is given in ANSI X9.52
   [1]; the one given here is preferred since it specifies padding.

B.2.3 RC2-CBC-Pad

   RC2-CBC-Pad is the RC2(tm) encryption algorithm [21] in CBC mode with
   the RFC 1423 padding operation. RC2-CBC-Pad has a variable key
   length, from one to 128 octets, a separate "effective key bits"
   parameter from one to 1024 bits that limits the effective search
   space independent of the key length, and an eight-octet
   initialization vector.

   The object identifier rc2CBC identifies the RC2-CBC-Pad encryption
   scheme:

   rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}

   The parameters field associated with OID in an AlgorithmIdentifier
   shall have type RC2-CBC-Parameter:

   RC2-CBC-Parameter ::= SEQUENCE {
       rc2ParameterVersion INTEGER OPTIONAL,
       iv OCTET STRING (SIZE(8)) }







Kaliski                      Informational                     [Page 24]

RFC 2898              Password-Based Cryptography         September 2000


   The fields of type RC2-CBCParameter have the following meanings:

   -  rc2ParameterVersion is a proprietary RSA Security Inc. encoding of
      the "effective key bits" for RC2. The following encodings are
      defined:

         Effective Key Bits         Encoding
                 40                    160
                 64                    120
                128                     58
               b >= 256                  b

   If the rc2ParameterVersion field is omitted, the "effective key bits"
   defaults to 32. (This is for backward compatibility with certain very
   old implementations.)

   -  iv is the eight-octet initialization vector.

B.2.4 RC5-CBC-Pad

   RC5-CBC-Pad is the RC5(tm) encryption algorithm [20] in CBC mode with
   a generalization of the RFC 1423 padding operation. This scheme is
   fully specified in [2]. RC5-CBC-Pad has a variable key length, from 0
   to 256 octets, and supports both a 64-bit block size and a 128-bit
   block size. For the former, it has an eight-octet initialization
   vector, and for the latter, a 16-octet initialization vector.
   RC5-CBC-Pad also has a variable number of "rounds" in the encryption
   operation, from 8 to 127.

   Note: The generalization of the padding operation is as follows. For
   RC5 with a 64-bit block size, the padding string is as defined in RFC
   1423. For RC5 with a 128-bit block size, the padding string consists
   of 16-(||M|| mod 16) octets each with value 16-(||M|| mod 16).

   The object identifier rc5-CBC-PAD [2] identifies RC5-CBC-Pad
   encryption scheme:

   rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}

   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type RC5-CBC-Parameters:

   RC5-CBC-Parameters ::= SEQUENCE {
       version INTEGER {v1-0(16)} (v1-0),
       rounds INTEGER (8..127),
       blockSizeInBits INTEGER (64 | 128),
       iv OCTET STRING OPTIONAL }




Kaliski                      Informational                     [Page 25]

RFC 2898              Password-Based Cryptography         September 2000


   The fields of type RC5-CBC-Parameters have the following meanings:

   -  version is the version of the algorithm, which shall be v1-0.

   -  rounds is the number of rounds in the encryption operation, which
      shall be between 8 and 127.

   -  blockSizeInBits is the block size in bits, which shall be 64 or
      128.

   -  iv is the initialization vector, an eight-octet string for 64-bit
      RC5 and a 16-octet string for 128-bit RC5. The default is a string
      of the appropriate length consisting of zero octets.

B.3 Message Authentication Schemes

   An example message authentication scheme for PBMAC1 (Section 7.1) is
   HMAC-SHA-1.

B.3.1 HMAC-SHA-1

   HMAC-SHA-1 is the HMAC message authentication scheme [7] based on the