idnits 2.17.1 draft-pkcs5-gost-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([RFC8018]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 30, 2021) is 1064 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group E. Karelina, Ed. 3 Internet-Draft InfoTeCS 4 Intended status: Informational April 30, 2021 5 Expires: November 1, 2021 7 Password-based key protection 8 draft-pkcs5-gost-00 10 Abstract 12 This document supplements [RFC8018]. It contains the specifications 13 of the cryptographic algorithms defined by the Russian national 14 standards for their implementation of generating general key in the 15 password-based schemes. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on November 1, 2021. 34 Copyright Notice 36 Copyright (c) 2021 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 52 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 53 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3 54 4. Algorithm for generating a key from a password . . . . . . . 4 55 5. Data encryption . . . . . . . . . . . . . . . . . . . . . . . 4 56 5.1. GOST 28147-89 data encryption . . . . . . . . . . . . . . 4 57 5.1.1. Encryption . . . . . . . . . . . . . . . . . . . . . 4 58 5.1.2. Decryption . . . . . . . . . . . . . . . . . . . . . 5 59 5.2. GOST R 34.12-2015 data encryption . . . . . . . . . . . . 5 60 5.2.1. Encryption . . . . . . . . . . . . . . . . . . . . . 6 61 5.2.2. Decryption . . . . . . . . . . . . . . . . . . . . . 7 62 6. Message Authentication . . . . . . . . . . . . . . . . . . . 8 63 6.1. The MAC generation . . . . . . . . . . . . . . . . . . . 8 64 6.2. The MAC verification . . . . . . . . . . . . . . . . . . 9 65 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 66 8. Normative References . . . . . . . . . . . . . . . . . . . . 9 67 Appendix A. Identifiers and parameters . . . . . . . . . . . . . 10 68 A.1. PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . 11 69 A.2. PBES2 . . . . . . . . . . . . . . . . . . . . . . . . . . 11 70 A.3. Identifier and parametrs of Gost28147-89 encryption sheme 12 71 A.4. Identifier and parametrs of Gost34.12-2015 encryption 72 sheme . . . . . . . . . . . . . . . . . . . . . . . . . . 13 73 A.5. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . . . 14 74 Appendix B. PBKDF2 HMAC_GOSTR3411 Test Vectors . . . . . . . . . 15 75 Appendix C. Acknowledgments . . . . . . . . . . . . . . . . . . 17 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17 78 1. Introduction 80 This document supplements [RFC8018]. It describes the 81 recommendations for using in the information systems with the 82 realisations of the GOST 28147-89 and GOST R 34.12-2015 encryption 83 algorithms and the GOST R 34.11-2012 hashing functions in public and 84 corporate networks to protect non-state information. The use of the 85 GOST 28147-89 encryption algorithm in these mechanisms remains for 86 compatibility with existing implementations. The methods described 87 in these recommendations are designed to generate key information 88 using the user's password and protect information using the generated 89 keys. 91 2. Conventions Used in This Document 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 95 "OPTIONAL" in this document are to be interpreted as described in BCP 96 14 [RFC2119] [RFC8174] when, and only when, they appear in all 97 capitals, as shown here. 99 3. Basic Terms and Definitions 101 Throughout this document, the following notations are used: 103 P a password in Unicode UTF-8 104 S a random initializing value 105 c a number of iterations of algorithm, a 106 positive integer 107 dkLen a length in bytes of derived key, a 108 positive integer 109 DK a derived key of length dkLen 110 B_n a set of all byte row vectors 111 of length n, n >= 0; if n = 0, 112 then the set B_n consists of an empty 113 string of length 0 114 A||C a concatenation of two byte strings A, C, 115 i.e., a vector from B_(|A|+|C|), where the 116 left subvector from B_(|A|) is 117 equal to the vector A and the right 118 subvector from B_(|C|) is equal to the 119 vector C 120 \xor a bit-wise exclusive-or of two byte strings 121 of the same length 122 R^n_r: B_n -> B_r a truncating a byte string to size r by 123 removing the least significant n-r bytes 124 Int(i) a four-byte encoding of the integer i =< 125 2^32: (i_1, i_2, i_3, i_4) \in B_4, i = i_1 126 + 2^8 * i_2 + 2^16 * i_3 + 2^24 * i_4 127 b[i, j] a substring extraction operator: extracts 128 bytes i through j, 0 =< i =< j. 129 CEIL(x) the smallest integer greater than, or equal 130 to, x 132 This document uses the following abbreviations and symbols: 134 HMAC_GOSTR3411 Hashed-based Message Authentication Code. 135 A function for calculating a message 136 authentication code, based on 137 the GOST R 34.11-2012 hash function with 138 512-bit output in accordance with 139 [RFC2104]. 141 4. Algorithm for generating a key from a password 143 The DK key is calculated as a diversification function PBKDF2(P, S, 144 c, dkLen) using the HMAC_GOSTR3411 function as the PRF pseudo-random 145 function: 147 DK = PBKDF2(P,S,c,dkLen). 149 The diversification function is calculated using the following 150 algorithm: 152 1. If dkLen > (2^32 - 1) * 64, output "derived key too long" and 153 stop. 155 2. Calculate n = CEIL(dkLen / 64). 157 3. Calculate a set of values for each i from 1 to n: 159 U_1(i) = HMAC_GOSTR3411 (P, S || INT (i)) 161 U_2(i) = HMAC_GOSTR3411 (P, U_1(i)) 163 ... 165 U_c(i) = HMAC_GOSTR3411 (P, U_{c-1}(i)) 167 T(i) = U_1(i) \xor U_2(i) \xor ... \xor U_c(i) 169 4. Concatenate the byte strings T(i) and extract the first dkLen 170 bytes to produce a derived key DK: 172 DK = R^{n * 64}_dkLen(T(1)||T(2)||...||T(n)) 174 5. Data encryption 176 5.1. GOST 28147-89 data encryption 178 Data encryption using the DK key is carried out in accordance with 179 the PBES2 scheme (see [RFC8018], section 6.2) using GOST 28147-89 in 180 the Cipher Feedback Mode (CFB) (see [RFC5830]). 182 5.1.1. Encryption 184 The encryption process for PBES2 consists of the following steps: 186 1. Select the random value S of length from 8 to 32 bytes. The 187 recommended length is 32 bytes. 189 2. Select the iteration count c depending on the conditions of use. 190 The minimum allowable value for the parameter is 1000, the 191 recommended value is 2000. 193 3. Set the value dkLen = 32. 195 4. Apply the key derivation function to the password P, the salt S 196 and the iteration count c to produce a derived key DK of length 197 dkLen bytes in accordance with the algorithm from Section 4. 198 Generate the sequence T(1) and trunc it to 32 bytes, i.e., DK = 199 PBKFD2(P,S,c,32) = R^64_32(T(1)). 201 5. Select the random value S^{'} of length from 8 bytes. 203 6. Encrypt the message M with GOST 28147-89 algorithm in CFB mode 204 under the derived key DK and the random value S^{'} to produce a 205 ciphertext C. 207 7. Save the parameters S, S^{'}, c as algorithm parameters in 208 accordance with Appendix A. 210 5.1.2. Decryption 212 The decryption process for PBES2 consists of the following steps: 214 1. Set the value dkLen = 32. 216 2. Apply the key derivation function to the password P, the salt S 217 and the iteration count c to produce a derived key DK of length 218 dkLen bytes in accordance with the algorithm from Section 4. 219 Generate the sequence T(1) and trunc it to 32 bytes, i.e., 221 DK = PBKFD2(P,S,c,32) = R^64_32(T(1)). 223 3. Decrypt the ciphertext C with GOST 28147-89 algorithm in CFB mode 224 under the derived key DK and the random value S^{'} to produce 225 the message M. 227 5.2. GOST R 34.12-2015 data encryption 229 Data encryption using the DK key is carried out in accordance with 230 the PBES2 scheme (see [RFC8018], section 6.2) using GOST R 34.12-2015 231 in CTR_ACPKM mode (see [RFC8645]). 233 5.2.1. Encryption 235 The encryption process for PBES2 consists of the following steps: 237 1. Select the random value S of length from 8 to 32 bytes. The 238 recommended length is 32 bytes. 240 2. Select the iteration count c depending on the conditions of use. 241 The minimum allowable value for the parameter is 1000, the 242 recommended value is 2000. 244 3. Set the value dkLen = 32. 246 4. Apply the key derivation function to the password P, the salt S 247 and the iteration count c to produce a derived key DK of length 248 dkLen bytes in accordance with the algorithm from Section 4. 249 Generate the sequence T(1) and trunc it to 32 bytes, i.e., 251 DK = PBKFD2(P,S,c,32) = R^64_32(T(1)). 253 5. Generate the value ukm of size n, where n takes a value of 12 or 254 16 bytes, depending on the selected encryption algorithm: 256 GOST R 34.12-2015 "Kuznyechik" n = 16 (see [RFC7801]) 258 GOST R 34.12-2015 "Magma" n = 12 (see [RFC8891]) 260 6. Set the value S^{'} = ukm[1..n-8] 262 7. For id-gostr3412-2015-magma-ctracpkm and id-gostr3412-2015- 263 kuznyechik-ctracpkm algorithms (see Appendix A.4) encrypt the 264 message M with GOST R 34.12-2015 algorithm under the derived key 265 DK and the random value S^{'} to produce a ciphertext C. 267 8. For id-gostr3412-2015-magma-ctracpkm-omac and id-gostr3412-2015- 268 kuznyechik-ctracpkm-omac algorithms (see Appendix A.4) encrypt 269 the message M with GOST R 34.12-2015 algorithm under the derived 270 key DK and the ukm in accordance with the following steps: 272 - Generate two keys from the derived key DK using the 273 KDF_TREE_GOSTR3411_2012_256 algorithm (see [RFC7836]): 275 encryption key K(1) 277 MAC key K(2). 279 Input parameters for the KDF_TREE_GOSTR3411_2012_256 algorithm 280 takes the folowing values: 282 K_in = DK 284 label = "kdf tree" 286 seed = ukm[n-7..n] 288 R = 1 290 - Compute MAC for the message M using the K(2) key. Append to 291 the end of the message M the computing MAC value. 293 - Encrypt the resulting byte string with MAC with GOST R 294 34.12-2015 algorithm under the derived key K(1) and the random 295 value S^{'} to produce a ciphertext C. 297 9. Save the parameters S, c, ukm as algorithm parameters in 298 accordance with Appendix A. 300 5.2.2. Decryption 302 The decryption process for PBES2 consists of the following steps: 304 1. Set the value dkLen = 32. 306 2. Apply the key derivation function to the password P, the salt S 307 and the iteration count c to produce a derived key DK of length 308 dkLen bytes in accordance with the algorithm from Section 4. 309 Generate the sequence T(1) and trunc it to 32 bytes, i.e., DK = 310 PBKFD2(P,S,c,32) = R^64_32(T(1)). 312 3. Set the value S^{'} = ukm[1..n-8], where n is the size of ukm in 313 bytes. 315 4. For id-gostr3412-2015-magma-ctracpkm and id-gostr3412-2015- 316 kuznyechik-ctracpkm algorithms (see Appendix A.4) decrypt the 317 ciphertext C with GOST R 34.12-2015 algorithm under the derived 318 key DK and the random value S^{'} to produce the message M. 320 5. For id-gostr3412-2015-magma-ctracpkm-omac and id-gostr3412-2015- 321 kuznyechik-ctracpkm-omac algorithms (see Appendix A.4) decrypt 322 the ciphertext C with GOST R 34.12-2015 algorithm under the 323 derived key DK and the ukm in accordance with the following 324 steps: 326 - Generate two keys from the derived key DK using the 327 KDF_TREE_GOSTR3411_2012_256 algorithm: 329 encryption key K(1) 330 MAC key K(2). 332 Input parameters for the KDF_TREE_GOSTR3411_2012_256 algorithm 333 takes the folowing values: 335 K_in = DK 337 label = "kdf tree" 339 seed = ukm[n-7..n] 341 R = 1 343 - Decrypt the ciphertext C with GOST R 34.12-2015 algorithm 344 under the derived key K(1) and the random value S^{'} to 345 produce the text. The last k bytes of the text are the mac, 346 where k depends on the selected encryption algorithm. 348 - Compute MAC for the text[1..m - k] using the K(2) key, where 349 m is the size of text. 351 - Compare the original mac and the receiving MAC. If the 352 sizes or values do not match, the message is distorted. 354 6. Message Authentication 356 PBMAC1 scheme is used for message authentication (see [RFC8018]. 357 This scheme bases on the HMAC_GOSTR3411 function with the key DK = 358 PBKDF2 (P, S, c, 32). 360 6.1. The MAC generation 362 The MAC generation operation for PBMAC1 consists of the following 363 steps: 365 1. Select the random value S of length from 8 to 32 bytes. The 366 recommended length is 32 bytes. 368 2. Select the iteration count c depending on the conditions of use. 369 The minimum allowable value for the parameter is 1000, the 370 recommended value is 2000. 372 3. Set the dkLen at least 32 bytes. It depend on the selected key 373 generation scheme. 375 4. Apply the key derivation function to the password P, the salt S 376 and the iteration count c to produce a derived key DK of length 377 dkLen bytes in accordance with the algorithm from Section 4. 379 Generate the sequence T(1) and trunc it to 32 bytes, i.e., DK = 380 PBKFD2(P,S,c,32) = R^64_32(T(1)). 382 5. Process the message M with the underlying message authentication 383 scheme under the derived key DK to generate a message 384 authentication code T. 386 6. Save the parameters S, c, ukm as algorithm parameters in 387 accordance with Appendix A. 389 6.2. The MAC verification 391 The MAC verification operation for PBMAC1 consists of the following 392 steps: 394 1. Set the dkLen at least 32 bytes. It depend on the selected key 395 generation scheme. 397 2. Apply the key derivation function to the password P, the salt S 398 and the iteration count c to produce a derived key DK of length 399 dkLen bytes in accordance with the algorithm from Section 4. 400 Generate the sequence T(1) and trunc it to 32 bytes, i.e., DK = 401 PBKFD2(P,S,c,32) = R^64_32(T(1)). 403 3. Process the message M with the underlying message authentication 404 scheme under the derived key DK to generate a message 405 authentication code T^{'}. 407 4. Compare the original message authentication code T and the 408 receiving message authentication code T^{'}. If the sizes or 409 values do not match, the message is distorted. 411 7. Security Considerations 413 The focus of this document is security; hence security considerations 414 permeate this specification. 416 8. Normative References 418 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 419 Hashing for Message Authentication", RFC 2104, 420 DOI 10.17487/RFC2104, February 1997, 421 . 423 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 424 Requirement Levels", BCP 14, RFC 2119, 425 DOI 10.17487/RFC2119, March 1997, 426 . 428 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 429 and Message Authentication Code (MAC) Algorithms", 430 RFC 5830, DOI 10.17487/RFC5830, March 2010, 431 . 433 [RFC6070] Josefsson, S., "PKCS #5: Password-Based Key Derivation 434 Function 2 (PBKDF2) Test Vectors", RFC 6070, 435 DOI 10.17487/RFC6070, January 2011, 436 . 438 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 439 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 440 . 442 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 443 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 444 on the Cryptographic Algorithms to Accompany the Usage of 445 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 446 RFC 7836, DOI 10.17487/RFC7836, March 2016, 447 . 449 [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: 450 Password-Based Cryptography Specification Version 2.1", 451 RFC 8018, DOI 10.17487/RFC8018, January 2017, 452 . 454 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 455 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 456 May 2017, . 458 [RFC8645] Smyshlyaev, S., Ed., "Re-keying Mechanisms for Symmetric 459 Keys", RFC 8645, DOI 10.17487/RFC8645, August 2019, 460 . 462 [RFC8891] Dolmatov, V., Ed. and D. Baryshkov, "GOST R 34.12-2015: 463 Block Cipher "Magma"", RFC 8891, DOI 10.17487/RFC8891, 464 September 2020, . 466 Appendix A. Identifiers and parameters 468 This section defines ASN.1 syntax for the key derivation functions, 469 the encryption schemes, the message authentication scheme, and 470 supporting techniques ([RFC8018]). 472 rsadsi OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 113549 } 473 pkcs OBJECT IDENTIFIER ::= { rsadsi 1 } 474 pkcs-5 OBJECT IDENTIFIER ::= { pkcs 5 } 476 A.1. PBKDF2 478 The object identifier id-PBKDF2 identifies the PBKDF2 key derivation 479 function: 481 id-PBKDF2 OBJECT IDENTIFIER ::= { pkcs-5 12 } 483 The parameters field associated with this OID in an 484 AlgorithmIdentifier shall have type PBKDF2-params: 486 PBKDF2-params ::= SEQUENCE 487 { 488 salt CHOICE 489 { 490 specified OCTET STRING, 491 otherSource AlgorithmIdentifier {{PBKDF2- SaltSources}} 492 }, 493 iterationCount INTEGER (1000..MAX), 494 keyLength INTEGER (32..MAX) OPTIONAL, 495 prf AlgorithmIdentifier {{PBKDF2-PRFs}} 496 } 498 The fields of type PBKDF2-params have the following meanings: 500 - salt contains the random value S in OCTET STRING. 502 - iterationCount specifies the iteration count c. 504 - keyLength is the length of the derived key in bytes. It is 505 optional field for PBES2 sheme since it is always 32 bytes. It 506 must be present for PBMAC1 sheme and must be at least 32 bytes 507 since the HMAC_GOSTR3411 function has a variable key size. 509 - prf identifies the pseudorandom function. The identifier value 510 must be id-tc26-hmac-gost-3411-12-512, the parameters value must 511 be NULL: 513 id-tc26-hmac-gost-3411-12-512 OBJECT IDENTIFIER ::= 514 { 515 iso(1) member-body(2) ru(643) reg7(7) 516 tk26(1) algorithms(1) hmac(4) 512(2) 517 } 519 A.2. PBES2 521 The object identifier id-PBES2 identifies the PBES2 encryption 522 scheme: 524 id-PBES2 OBJECT IDENTIFIER ::= { pkcs-5 13 } 526 The parameters field associated with this OID in an 527 AlgorithmIdentifier shall have type PBES2-params: 529 PBES2-params ::= SEQUENCE 530 { 531 keyDerivationFunc AlgorithmIdentifier { { PBES2-KDFs } }, 532 encryptionScheme AlgorithmIdentifier { { PBES2-Encs } } 533 } 535 The fields of type PBES2-params have the following meanings: 537 - keyDerivationFunc identifies the key derivation function in 538 accordance with Appendix A.1. 540 - encryptionScheme identifies the encryption scheme in accordance 541 with Appendix A.3, Appendix A.4. 543 A.3. Identifier and parametrs of Gost28147-89 encryption sheme 545 The GOST 28147-89 encryption algorithm identifier should take the 546 following value: 548 id-Gost28147-89 OBJECT IDENTIFIER ::= 549 { 550 iso(1) member-body(2) ru(643) rans(2) 551 cryptopro(2) gost28147-89(21) 552 } 554 The parameters field associated with this OID in an 555 AlgorithmIdentifier shall have type Gost28147-89-Parameters: 557 Gost28147-89-Parameters ::= SEQUENCE 558 { 559 iv Gost28147-89-IV, 560 encryptionParamSet OBJECT IDENTIFIER 561 } 562 Gost28147-89-IV ::= OCTET STRING (SIZE (8)) 564 The fields of type Gost28147-89-Parameters have the following 565 meanings: 567 - iv contains the random value S^{'} in OCTET STRING. 569 - encryptionParamSet identifies the substitution block for 570 encryption. For PBES2 sheme it is recommended to use the set of 571 substitutions described in [RFC7836]. The OID of this block is: 573 id-tc26-gost-28147-param-Z OBJECT IDENTIFIER ::= 574 { 575 iso(1) member-body(2) ru(643) rosstandart(7) 576 tc26(1) constants(2) cipher(5) gost28147(1) paramZ(1) 577 } 579 A.4. Identifier and parametrs of Gost34.12-2015 encryption sheme 581 The Gost34.12-2015 encryption algorithm identifier SHOULD take one of 582 the following values: 584 id-gostr3412-2015-magma-ctracpkm OBJECT IDENTIFIER ::= 585 { 586 iso(1) member-body(2) ru(643) rosstandart(7) 587 tc26(1) algorithms(1) cipher(5) 588 gostr3412-2015-magma(1) mode-ctracpkm(1) 589 } 591 In case of use id-gostr3412-2015-magma-ctracpkm identifier the data 592 is encrypted by the GOST R 34.12-2015 Magma cipher in CTR_ACPKM mode 593 in accordance with [RFC8645]. The length of gamma block s is 64 594 bits, the section size is fixed within a specific protocol based on 595 the requirements of the system capacity and the key lifetime. 597 id-gostr3412-2015-magma-ctracpkm-omac OBJECT IDENTIFIER ::= 598 { 599 iso(1) member-body(2) ru(643) rosstandart(7) 600 tc26(1) algorithms(1) cipher(5) 601 gostr3412-2015-magma(1) mode-ctracpkm-omac(2) 602 } 604 In case of use id-gostr3412-2015-magma-ctracpkm-omac identifier the 605 data is encrypted by the GOST R 34.12-2015 Magma cipher in CTR_ACPKM 606 mode in accordance with [RFC8645], and MAC is computed by the GOST R 607 34.12-2015 Magma cipher in MAC mode (MAC size is 64 bits). The 608 length of gamma block s is 64 bits, the section size is fixed within 609 a specific protocol based on the requirements of the system capacity 610 and the key lifetime. 612 id-gostr3412-2015-kuznyechik-ctracpkm OBJECT IDENTIFIER ::= 613 { 614 iso(1) member-body(2) ru(643) rosstandart(7) 615 tc26(1) algorithms(1) cipher(5) 616 gostr3412-2015-kuznyechik(2) mode-ctracpkm(1) 617 } 619 In case of use id-gostr3412-2015-kuznyechik-ctracpkm identifier the 620 data is encrypted by the GOST R 34.12-2015 Kuznyechik cipher in 621 CTR_ACPKM mode in accordance with [RFC8645]. The length of gamma 622 block s is 128 bits, the section size is fixed within a specific 623 protocol based on the requirements of the system capacity and the key 624 lifetime. 626 id-gostr3412-2015-kuznyechik-ctracpkm-omac OBJECT IDENTIFIER ::= 627 { 628 iso(1) member-body(2) ru(643) rosstandart(7) 629 tc26(1) algorithms(1) cipher(5) 630 gostr3412-2015-kuznyechik(2) mode-ctracpkm-omac(2) 631 } 633 In case of use id-gostr3412-2015-kuznyechik-ctracpkm-omac identifier 634 the data is encrypted by the GOST R 34.12-2015 Kuznyechik cipher in 635 CTR_ACPKM mode in accordance with [RFC8645], and MAC is computed by 636 the GOST R 34.12-2015 Kuznyechik cipher in MAC mode (MAC size is 128 637 bits). The length of gamma block s is 128 bits, the section size is 638 fixed within a specific protocol based on the requirements of the 639 system capacity and the key lifetime. 641 The parameters field in an AlgorithmIdentifier shall have type 642 Gost3412-15-Encryption-Parameters: 644 Gost3412-15-Encryption-Parameters ::= SEQUENCE 645 { 646 ukm OCTET STRING 647 } 649 The field of type Gost3412-15-Encryption-Parameters have the 650 following meanings: 652 - ukm must be present and must contain n bytes. It's value 653 depends on the selected encryption algorithm: 655 GOST R 34.12-2015 "Kuznyechik" n = 16 (see [RFC7801]) 657 GOST R 34.12-2015 "Magma" n = 12 (see [RFC8891]) 659 A.5. PBMAC1 661 The object identifier id-PBMAC1 identifies the PBMAC1 message 662 authentication scheme: 664 id-PBMAC1 OBJECT IDENTIFIER ::= { pkcs-5 14 } 666 The parameters field associated with this OID in an 667 AlgorithmIdentifier shall have type PBMAC1-params: 669 PBMAC1-params ::= SEQUENCE 670 { 671 keyDerivationFunc AlgorithmIdentifier { { PBMAC1-KDFs } }, 672 messageAuthScheme AlgorithmIdentifier { { PBMAC1-MACs } } 673 } 675 The fields of type PBMAC1-params have the following meanings: 677 - keyDerivationFunc is identifier and parameters of key 678 diversification function in accordance with Appendix A.1 680 - messageAuthScheme is identifier and parameters of HMAC_GOSTR3411 681 algorithm. 683 Appendix B. PBKDF2 HMAC_GOSTR3411 Test Vectors 685 These test vectors are formed by analogy with test vectors from 686 [RFC6070]. The input strings below are encoded using ASCII. The 687 sequence "\0" (without quotation marks) means a literal ASCII NULL 688 value (1 octet). "DK" refers to the Derived Key. 690 Input: 691 P = "password" (8 octets) 692 S = "salt" (4 octets) 693 c = 1 694 dkLen = 64 696 Output: 697 DK = 64 77 0a f7 f7 48 c3 b1 c9 ac 83 1d bc fd 85 c2 698 61 11 b3 0a 8a 65 7d dc 30 56 b8 0c a7 3e 04 0d 699 28 54 fd 36 81 1f 6d 82 5c c4 ab 66 ec 0a 68 a4 700 90 a9 e5 cf 51 56 b3 a2 b7 ee cd db f9 a1 6b 47 702 Input: 703 P = "password" (8 octets) 704 S = "salt" (4 octets) 705 c = 2 706 dkLen = 64 708 Output: 709 DK = 5a 58 5b af df bb 6e 88 30 d6 d6 8a a3 b4 3a c0 710 0d 2e 4a eb ce 01 c9 b3 1c 2c ae d5 6f 02 36 d4 711 d3 4b 2b 8f bd 2c 4e 89 d5 4d 46 f5 0e 47 d4 5b 712 ba c3 01 57 17 43 11 9e 8d 3c 42 ba 66 d3 48 de 714 Input: 715 P = "password" (8 octets) 716 S = "salt" (4 octets) 717 c = 4096 718 dkLen = 64 720 Output: 721 DK = e5 2d eb 9a 2d 2a af f4 e2 ac 9d 47 a4 1f 34 c2 722 03 76 59 1c 67 80 7f 04 77 e3 25 49 dc 34 1b c7 723 86 7c 09 84 1b 6d 58 e2 9d 03 47 c9 96 30 1d 55 724 df 0d 34 e4 7c f6 8f 4e 3c 2c da f1 d9 ab 86 c3 726 Input: 727 P = "password" (8 octets) 728 S = "salt" (4 octets) 729 c = 16777216 730 dkLen = 64 732 Output: 733 DK = 49 e4 84 3b ba 76 e3 00 af e2 4c 4d 23 dc 73 92 734 de f1 2f 2c 0e 24 41 72 36 7c d7 0a 89 82 ac 36 735 1a db 60 1c 7e 2a 31 4e 8c b7 b1 e9 df 84 0e 36 736 ab 56 15 be 5d 74 2b 6c f2 03 fb 55 fd c4 80 71 738 Input: 739 P = "passwordPASSWORDpassword" (24 octets) 740 S = "saltSALTsaltSALTsaltSALTsaltSALTsalt" (36 octets) 741 c = 4096 742 dkLen = 100 744 Output: 745 DK = b2 d8 f1 24 5f c4 d2 92 74 80 20 57 e4 b5 4e 0a 746 07 53 aa 22 fc 53 76 0b 30 1c f0 08 67 9e 58 fe 747 4b ee 9a dd ca e9 9b a2 b0 b2 0f 43 1a 9c 5e 50 748 f3 95 c8 93 87 d0 94 5a ed ec a6 eb 40 15 df c2 749 bd 24 21 ee 9b b7 11 83 ba 88 2c ee bf ef 25 9f 750 33 f9 e2 7d c6 17 8c b8 9d c3 74 28 cf 9c c5 2a 751 2b aa 2d 3a 753 Input: 754 P = "pass\0word" (9 octets) 755 S = "sa\0lt" (5 octets) 756 c = 4096 757 dkLen = 64 759 Output: 760 DK = 50 df 06 28 85 b6 98 01 a3 c1 02 48 eb 0a 27 ab 761 6e 52 2f fe b2 0c 99 1c 66 0f 00 14 75 d7 3a 4e 762 16 7f 78 2c 18 e9 7e 92 97 6d 9c 1d 97 08 31 ea 763 78 cc b8 79 f6 70 68 cd ac 19 10 74 08 44 e8 30 765 Appendix C. Acknowledgments 767 Author's Address 769 Karelina Ekaterina (editor) 770 InfoTeCS 771 2B stroenie 1, ul. Otradnaya 772 Moscow 127273 773 Russian Federation 775 Phone: +7 (495) 737-61-92 776 Email: Ekaterina.Karelina@infotecs.ru