Embed Size (px)
Citation preview
RSA Data Security, Inc.
PKCS #5: Password-Based Cryptography Standard
Burt Kaliski
RSA LaboratoriesPKCS Workshop
October 9, 1998(with minor edits)
© RSA 1998
Outline
• Background
• PKCS #5 v1.5
• PKCS #5 v2 draft
© RSA 1998
Background
• Cryptography with a password ...– encryption– message authentication– identification, key establishment
• … has some peculiar problems:– passwords are not conventional keys– nor are they very “random”
© RSA 1998
General Model
• Password-based key derivation:key = PBKDF (password, salt, count)
• salt prevents dictionary attack
• count complicates search
• key is applied to conventional cryptosystem
© RSA 1998
PKCS #5 v1.5
• Password-Based Encryption Standard– published 11/93
• Two encryption schemes:– MD2 with DES-CBC– MD5 with DES-CBC
© RSA 1998
PKCS #5 v1.5 Encryption Scheme
1. Generate salt S
2. Hash with password to derive key, IV:K || IV = Hashcount (P || S)
3. Pad message and encrypt:EM = M || pad
C = DES-CBC (K, IV, EM)
• S, count, C sent to recipient
© RSA 1998
Limitations of v1.5 Scheme
• Algorithm restrictions:– only two hash functions– only one underlying encryption scheme
• includes padding, assumes CBC mode
• Theoretical deficiencies:– no formal model or security proof for KDF– construction has “entropy bottleneck”
• Fixed maximum length for keys
© RSA 1998
Enhancements
• RSA Data Security extensions:– SHA-1 hash function– RC2-CBC encryption
• PKCS #12 password-based schemes
© RSA 1998
PKCS Workshop ’97
• Discussion of PKCS #5 improvements
• Conclusions:1. New key derivation function to be
specified
2. Modular encryption, message authentication schemes
• parameters for underlying scheme (e.g., IV) managed separately
© RSA 1998
PKCS #5 v2 Draft
• Password-Based Cryptography Standard– draft published 10/98
• Several techniques:– extended v1.5 and new KDF– extended v1.5 and new modular encryption
schemes– new modular message authentication scheme
© RSA 1998
New Key Derivation Function
PBKDF2 (P, S, c, dkLen)
1. Compute blocks T1,…,Tl as
Ti = G (P, S, i, 0) G (P, S, i, c-1) ,
where G (P, S, i, j) = HMACP(S || i || j).
2. Output first dkLen octets of T1 || || Tl.
© RSA 1998
Motivation for PBKDF2
• HMAC widely implemented, “provably secure” under reasonable assumptions
– arbitrary (iterated) hash function
• G may be viewed as a PRF
• XOR increases cost, preserves PRF
• variable length through varying i
© RSA 1998
New Encryption Scheme
1. Select salt S, iteration count c, key length dkLen
2. Apply KDF to derive key
DK = KDF (P, S, c, dkLen)
3. Apply underlying encryption scheme
C = EncDK (M)
– parameters such as IV selected separately
© RSA 1998
Message Authentication Scheme
1. Select salt S, iteration count c, key length dkLen
2. Apply KDF to derive key
DK = KDF (P, S, c, dkLen)
3. Apply underlying message authentication scheme
T = MACDK (M)
© RSA 1998
Addressing the Limitations
• Algorithm restrictions:– arbitrary (iterated) hash function– arbitrary underlying encryption scheme
• Theoretical deficiencies:– formal model / security proof for KDF– construction still has “entropy bottleneck”
• but can support wider hash function• not a practical problem for passwords
• Large maximum length for keys
© RSA 1998
Supporting Techniques
• Encryption schemes:– DES, DES-EDE3, RC2, RC5
• all in CBC mode with PKCS #5 v1.5 padding
– DES-EDE2, DESX, RC4 to be added?
• Message authentication schemes:– HMAC-SHA-1– others?
© RSA 1998
ASN.1 Syntax
• Key derivation functions– only PBKDF2
• Encryption schemes
• Message authentication schemes
© RSA 1998
PBKDF2
• Generic OID:– id-pbkdf2 ::= pkcs-5.9
• Parameters:– PBKDF2-params ::= SEQUENCE {
salt OCTET STRING, iterationCount INTEGER (1..), keyLength [0] INTEGER DEFAULT 16, hashFunc [1] AlgID {{pbkdf2Hashs}} DEFAULT sha1Identifier }
© RSA 1998
PBES1
• Specific OIDs as in v1.5:– pbeWithMD2AndDES-CBC ::= pkcs-5.1– pbeWithMD5AndDES-CBC ::= pkcs-5.3– …– pbeWithSHA1AndRC2-CBC ::= pkcs-5.8
• Parameters:– PBEParameter ::= SEQUENCE {
salt OCTET STRING SIZE (8), iterationCount INTEGER}
© RSA 1998
PBES2
• Generic OID:– id-pbes2 ::= pkcs-5.10
• Parameters:– PBES2-params ::= SEQUENCE {
kdf AlgID {{pbes2KDFs}}, enc AlgID {{pbes2Encs}} }
© RSA 1998
PBMAC1
• Generic OID:– id-pbmac1 ::= pkcs-5.11
• Parameters:– PBMAC1-params ::= SEQUENCE {
kdf AlgID {{pbmac1KDFs}}, mac AlgID {{pbmac1Macs}} }
© RSA 1998
Discussion
• New model
• New KDF
• New syntax
• “Pepper” and usage information
• Other password-based techniques
