| < draft-moriarty-pkcs5-v2dot1-01.txt | draft-moriarty-pkcs5-v2dot1-02.txt > | |||
|---|---|---|---|---|
| INTERNET-DRAFT K. Moriarty, Ed. | INTERNET-DRAFT K. Moriarty, Ed. | |||
| Intended Status: Informational EMC | Intended Status: Informational EMC | |||
| Obsoletes: 2898 (once approved) B. Kaliski | Obsoletes: 2898 (once approved) B. Kaliski | |||
| Expires: October 9, 2016 Verisign | Expires: March 9, 2017 Verisign | |||
| A. Rusch | A. Rusch | |||
| RSA | RSA | |||
| April 8, 2016 | September 2, 2016 | |||
| PKCS #5: Password-Based Cryptography Specification | PKCS #5: Password-Based Cryptography Specification | |||
| Version 2.1 | Version 2.1 | |||
| draft-moriarty-pkcs5-v2dot1-01 | draft-moriarty-pkcs5-v2dot1-02 | |||
| Abstract | Abstract | |||
| This document provides recommendations for the implementation of | This document provides recommendations for the implementation of | |||
| password-based cryptography, covering key derivation functions, | password-based cryptography, covering key derivation functions, | |||
| encryption schemes, message-authentication schemes, and ASN.1 syntax | encryption schemes, message-authentication schemes, and ASN.1 syntax | |||
| identifying the techniques. | identifying the techniques. | |||
| The recommendations are intended for general application within | The recommendations are intended for general application within | |||
| computer and communications systems, and as such include a fair | computer and communications systems, and as such include a fair | |||
| amount of flexibility. They are particularly intended for the | amount of flexibility. They are particularly intended for the | |||
| protection of sensitive information such as private keys, as in PKCS | protection of sensitive information such as private keys, as in PKCS | |||
| #8. It is expected that application standards and implementation | #8 [PKCS8][RFC5958]. It is expected that application standards and | |||
| profiles based on these specifications may include additional | implementation profiles based on these specifications may include | |||
| constraints. | additional constraints. | |||
| Other cryptographic techniques based on passwords, such as password- | Other cryptographic techniques based on passwords, such as password- | |||
| based-key entity authentication and key establishment protocols are | based key entity authentication and key establishment protocols are | |||
| outside the scope of this document. Guidelines for the selection of | outside the scope of this document. Guidelines for the selection of | |||
| passwords are also outside the scope. | passwords are also outside the scope. | |||
| This document represents a republication of PKCS #5 v2.1 from RSA | This document represents a republication of PKCS #5 v2.1 [PKCS5_21] | |||
| Laboratories' Public-Key Cryptography Standards (PKCS) series. By | from RSA Laboratories' Public-Key Cryptography Standards (PKCS) | |||
| publishing this RFC, change control is transferred to the IETF. | series. By publishing this RFC, change control is transferred to the | |||
| IETF. | ||||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| skipping to change at line 84 ¶ | skipping to change at line 85 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Salt and Iteration Count . . . . . . . . . . . . . . . . . . . 6 | 4. Salt and Iteration Count . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.1. Salt . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.1. Salt . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. Iteration Count . . . . . . . . . . . . . . . . . . . . . . 8 | 4.2. Iteration Count . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5. Key Derivation Functions . . . . . . . . . . . . . . . . . . . 8 | 5. Key Derivation Functions . . . . . . . . . . . . . . . . . . . 8 | |||
| 5.1. PBKDF1 . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.1. PBKDF1 . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.2. PBKDFs . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.2. PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . 12 | 6. Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.1. PBES1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 6.1. PBES1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.1.1. PBES Encryption Operation . . . . . . . . . . . . . . . 12 | 6.1.1. PBES1 Encryption Operation . . . . . . . . . . . . . . 12 | |||
| 6.1.2. PBES1 Decryption Operation . . . . . . . . . . . . . . 13 | 6.1.2. PBES1 Decryption Operation . . . . . . . . . . . . . . 13 | |||
| 6.2. PBES2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 6.2. PBES2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6.2.1. PBES2 Encryption Operation . . . . . . . . . . . . . . 14 | 6.2.1. PBES2 Encryption Operation . . . . . . . . . . . . . . 14 | |||
| 6.2.2. PBES2 Decryption Operation . . . . . . . . . . . . . . 15 | 6.2.2. PBES2 Decryption Operation . . . . . . . . . . . . . . 15 | |||
| 7. Message Authentication Schemes . . . . . . . . . . . . . . . . 16 | 7. Message Authentication Schemes . . . . . . . . . . . . . . . . 16 | |||
| 7.1. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | 7.1. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 7.1.1 PBMAC1 Generation Operation . . . . . . . . . . . . . . 16 | 7.1.1 PBMAC1 Generation Operation . . . . . . . . . . . . . . 16 | |||
| 7.1.2. PBMAC1 Verification Operation . . . . . . . . . . . . . 17 | 7.1.2. PBMAC1 Verification Operation . . . . . . . . . . . . . 17 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . . 17 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . . 17 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 18 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| skipping to change at line 148 ¶ | skipping to change at line 149 ¶ | |||
| protection of sensitive information such as private keys as in PKCS | protection of sensitive information such as private keys as in PKCS | |||
| #8 [PKCS8][RFC5958]. It is expected that application standards and | #8 [PKCS8][RFC5958]. It is expected that application standards and | |||
| implementation profiles based on these specifications may include | implementation profiles based on these specifications may include | |||
| additional constraints. | additional constraints. | |||
| Other cryptographic techniques based on passwords, such as password- | Other cryptographic techniques based on passwords, such as password- | |||
| based key entity authentication and key establishment protocols | based key entity authentication and key establishment protocols | |||
| [BELLOV][JABLON][WU] are outside the scope of this document. | [BELLOV][JABLON][WU] are outside the scope of this document. | |||
| Guidelines for the selection of passwords are also outside the scope. | Guidelines for the selection of passwords are also outside the scope. | |||
| This document supersedes PKCS #5 version 2.0 [RFC2898], but includes | This document supersedes PKCS #5 version 2.0 [RFC2898], but includes | |||
| compatibletechniques. | compatible techniques. | |||
| 2. Notation | 2. Notation | |||
| C ciphertext, an octet string | C ciphertext, an octet string | |||
| c iteration count, a positive integer | c iteration count, a positive integer | |||
| DK derived key, an octet string | DK derived key, an octet string | |||
| dkLen length in octets of derived key, a positive integer | dkLen length in octets of derived key, a positive integer | |||
| skipping to change at line 195 ¶ | skipping to change at line 196 ¶ | |||
| S salt, an octet string | S salt, an octet string | |||
| T message authentication code, an octet string | T message authentication code, an octet string | |||
| T_1, ..., T_l, U_1, ..., U_c | T_1, ..., T_l, U_1, ..., U_c | |||
| intermediate values, octet strings | intermediate values, octet strings | |||
| 01, 02, ..., 08 | 01, 02, ..., 08 | |||
| octets with value 1, 2, ..., 8 | octets with value 1, 2, ..., 8 | |||
| bit-wise exclusive-or of two octet strings | \xor bit-wise exclusive-or of two octet strings | |||
| || || octet length operator | || || octet length operator | |||
| || concatenation operator | || concatenation operator | |||
| <i..j> substring extraction operator: extracts octets i through j, | <i..j> substring extraction operator: extracts octets i through j, | |||
| 0 <= i <= j | 0 <= i <= j | |||
| 3. Overview | 3. Overview | |||
| skipping to change at line 441 ¶ | skipping to change at line 442 ¶ | |||
| PBKDF1 is recommended only for compatibility with existing | PBKDF1 is recommended only for compatibility with existing | |||
| applications since the keys it produces may not be large enough for | applications since the keys it produces may not be large enough for | |||
| some applications. | some applications. | |||
| PBKDF1 (P, S, c, dkLen) | PBKDF1 (P, S, c, dkLen) | |||
| Options: Hash underlying hash function | Options: Hash underlying hash function | |||
| Input: P password, an octet string | Input: P password, an octet string | |||
| S salt, an eight-octet string | S salt, an octet string | |||
| c iteration count, a positive integer | c iteration count, a positive integer | |||
| dkLen intended length in octets of derived key, | dkLen intended length in octets of derived key, | |||
| a positive integer, at most 16 for MD2 or | a positive integer, at most 16 for MD2 or | |||
| MD5 and 20 for SHA-1 | MD5 and 20 for SHA-1 | |||
| Output: DK derived key, a dkLen-octet string | Output: DK derived key, a dkLen-octet string | |||
| Steps: | Steps: | |||
| 1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output | 1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output | |||
| "derived key too long" and stop. | "derived key too long" and stop. | |||
| 2. Apply the underlying hash function Hash for c iterations to the | 2. Apply the underlying hash function Hash for c iterations to the | |||
| concatenation of the password P and the salt S, then extract | concatenation of the password P and the salt S, then extract | |||
| the first dkLen octets to produce a derived key DK: | the first dkLen octets to produce a derived key DK: | |||
| T_1 = Hash (P || S) , | T_1 = Hash (P || S) , | |||
| T_2 = Hash (T_1) , | T_2 = Hash (T_1) , | |||
| ... | ... | |||
| T_c = Hash (T_{c-1}) , | T_c = Hash (T_{c-1}) , | |||
| DK = Tc<0..dkLen-1> | DK = T_c<0..dkLen-1> | |||
| 3. Output the derived key DK. | 3. Output the derived key DK. | |||
| 5.2. PBKDFs | 5.2. PBKDF2 | |||
| PBKDF2 applies a pseudorandom function (see Appendix B.1 for an | PBKDF2 applies a pseudorandom function (see Appendix B.1 for an | |||
| example) to derive keys. The length of the derived key is essentially | example) to derive keys. The length of the derived key is essentially | |||
| unbounded. (However, the maximum effective search space for the | unbounded. (However, the maximum effective search space for the | |||
| derived key may be limited by the structure of the underlying | derived key may be limited by the structure of the underlying | |||
| pseudorandom function. See Appendix B.1 for further discussion.) | pseudorandom function. See Appendix B.1 for further discussion.) | |||
| PBKDF2 is recommended for new applications. | PBKDF2 is recommended for new applications. | |||
| PBKDF2 (P, S, c, dkLen) | PBKDF2 (P, S, c, dkLen) | |||
| skipping to change at line 518 ¶ | skipping to change at line 519 ¶ | |||
| T_1 = F (P, S, c, 1) , | T_1 = F (P, S, c, 1) , | |||
| T_2 = F (P, S, c, 2) , | T_2 = F (P, S, c, 2) , | |||
| ... | ... | |||
| T_l = F (P, S, c, l) , | T_l = F (P, S, c, l) , | |||
| where the function F is defined as the exclusive-or sum of the | where the function F is defined as the exclusive-or sum of the | |||
| first c iterates of the underlying pseudorandom function PRF | first c iterates of the underlying pseudorandom function PRF | |||
| applied to the password P and the concatenation of the salt S | applied to the password P and the concatenation of the salt S | |||
| and the block index i: | and the block index i: | |||
| F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c | ||||
| where | where | |||
| U_1 = PRF (P, S || INT (i)) , | U_1 = PRF (P, S || INT (i)) , | |||
| U_2 = PRF (P, U_1) , | U_2 = PRF (P, U_1) , | |||
| ... | ... | |||
| U_c = PRF (P, U_{c-1}) . | U_c = PRF (P, U_{c-1}) . | |||
| Here, INT (i) is a four-octet encoding of the integer i, most | Here, INT (i) is a four-octet encoding of the integer i, most | |||
| significant octet first. | significant octet first. | |||
| 4. Concatenate the blocks and extract the first dkLen octets to | 4. Concatenate the blocks and extract the first dkLen octets to | |||
| skipping to change at line 571 ¶ | skipping to change at line 574 ¶ | |||
| PBES1 combines the PBKDF1 function (Section 5.1) with an underlying | PBES1 combines the PBKDF1 function (Section 5.1) with an underlying | |||
| block cipher, which shall be either DES [NIST46] or RC2(tm) [RFC2268] | block cipher, which shall be either DES [NIST46] or RC2(tm) [RFC2268] | |||
| in CBC mode [NIST81]. PBES1 is compatible with the encryption scheme | in CBC mode [NIST81]. PBES1 is compatible with the encryption scheme | |||
| in PKCS #5 v1.5 [PKCS5_15]. | in PKCS #5 v1.5 [PKCS5_15]. | |||
| PBES1 is recommended only for compatibility with existing | PBES1 is recommended only for compatibility with existing | |||
| applications, since it supports only two underlying encryption | applications, since it supports only two underlying encryption | |||
| schemes, each of which has a key size (56 or 64 bits) that may not be | schemes, each of which has a key size (56 or 64 bits) that may not be | |||
| large enough for some applications. | large enough for some applications. | |||
| 6.1.1. PBES Encryption Operation | 6.1.1. PBES1 Encryption Operation | |||
| The encryption operation for PBES1 consists of the following steps, | The encryption operation for PBES1 consists of the following steps, | |||
| which encrypt a message M under a password P to produce a ciphertext | which encrypt a message M under a password P to produce a ciphertext | |||
| C: | C: | |||
| 1. Select an eight-octet salt S and an iteration count c, as | 1. Select an eight-octet salt S and an iteration count c, as | |||
| outlined in Section 4. | outlined in Section 4. | |||
| 2. Apply the PBKDF1 key derivation function (Section 5.1) to the | 2. Apply the PBKDF1 key derivation function (Section 5.1) to the | |||
| password P, the salt S, and the iteration count c to produce at | password P, the salt S, and the iteration count c to produce at | |||
| skipping to change at line 1680 ¶ | skipping to change at line 1683 ¶ | |||
| [NISTSP132] | [NISTSP132] | |||
| National Institute of Standards and Technology (NIST). Special | National Institute of Standards and Technology (NIST). Special | |||
| Publication 800-132: Recommendation for Password - Based Key | Publication 800-132: Recommendation for Password - Based Key | |||
| Derivation, Part 1: Storage Applications. December 2010. | Derivation, Part 1: Storage Applications. December 2010. | |||
| [PKCS5_15] | [PKCS5_15] | |||
| RSA Laboratories. PKCS #5: Password-Based Encryption Standard | RSA Laboratories. PKCS #5: Password-Based Encryption Standard | |||
| Version 1.5, November 1993. | Version 1.5, November 1993. | |||
| [PKCS5_21] | ||||
| RSA Laboratories. PKCS #5: Password-Based Encryption Standard | ||||
| Version 2.1, October 2012. | ||||
| [PKCS8] | [PKCS8] | |||
| RSA Laboratories. "PKCS #8: Private-Key Information Syntax | RSA Laboratories. "PKCS #8: Private-Key Information Syntax | |||
| Standard Version 1.2", RFC 5208, May 2008. | Standard Version 1.2", RFC 5208, May 2008. | |||
| [RBLOCK1] | [RBLOCK1] | |||
| R.L. Rivest. Block-Encryption Algorithm with Data-Dependent | R.L. Rivest. Block-Encryption Algorithm with Data-Dependent | |||
| Rotations. U.S. Patent No. 5,724,428, March 3, 1998. | Rotations. U.S. Patent No. 5,724,428, March 3, 1998. | |||
| [RBLOCK2] | [RBLOCK2] | |||
| R.L. Rivest. Block Encryption Algorithm with Data-Dependent | R.L. Rivest. Block Encryption Algorithm with Data-Dependent | |||
| End of changes. 16 change blocks. | ||||
| 18 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||