1 / 22

PKCS #5: Password-Based Cryptography Standard

PKCS #5: Password-Based Cryptography Standard. Burt Kaliski RSA Laboratories PKCS Workshop October 9, 1998 (with minor edits). Outline. Background PKCS #5 v1.5 PKCS #5 v2 draft. Background. Cryptography with a password ... encryption message authentication

jorden-zimmerman
Download Presentation

PKCS #5: Password-Based Cryptography Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKCS #5: Password-Based Cryptography Standard Burt Kaliski RSA Laboratories PKCS Workshop October 9, 1998(with minor edits) RSA Data Security, Inc.

  2. Outline • Background • PKCS #5 v1.5 • PKCS #5 v2 draft

  3. Background • Cryptography with a password ... • encryption • message authentication • identification, key establishment • … has some peculiar problems: • passwords are not conventional keys • nor are they very “random”

  4. General Model • Password-based key derivation: key = PBKDF (password, salt, count) • salt prevents dictionary attack • count complicates search • key is applied to conventional cryptosystem

  5. PKCS #5 v1.5 • Password-Based Encryption Standard • published 11/93 • Two encryption schemes: • MD2 with DES-CBC • MD5 with DES-CBC

  6. PKCS #5 v1.5 Encryption Scheme 1. Generate salt S 2. Hash with password to derive key, IV: K || IV = Hashcount(P || S) 3. Pad message and encrypt: EM = M || padC = DES-CBC (K, IV, EM) • S, count, C sent to recipient

  7. Limitations of v1.5 Scheme • Algorithm restrictions: • only two hash functions • only one underlying encryption scheme • includes padding, assumes CBC mode • Theoretical deficiencies: • no formal model or security proof for KDF • construction has “entropy bottleneck” • Fixed maximum length for keys

  8. Enhancements • RSA Data Security extensions: • SHA-1 hash function • RC2-CBC encryption • PKCS #12 password-based schemes

  9. PKCS Workshop ’97 • Discussion of PKCS #5 improvements • Conclusions: 1. New key derivation function to be specified 2. Modular encryption, message authentication schemes • parameters for underlying scheme (e.g., IV) managed separately

  10. PKCS #5 v2 Draft • Password-Based Cryptography Standard • draft published 10/98 • Several techniques: • extended v1.5 and new KDF • extended v1.5 and new modular encryption schemes • new modular message authentication scheme

  11. New Key Derivation Function PBKDF2 (P, S, c, dkLen) 1. Compute blocks T1,…,Tl as Ti = G (P, S, i, 0) G (P, S, i, c-1) , where G (P, S, i, j) = HMACP(S || i || j). 2. Output first dkLen octets of T1 ||  || Tl.

  12. Motivation for PBKDF2 • HMAC widely implemented, “provably secure” under reasonable assumptions • arbitrary (iterated) hash function • G may be viewed as a PRF • XOR increases cost, preserves PRF • variable length through varying i

  13. New Encryption Scheme 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying encryption scheme C = EncDK (M) • parameters such as IV selected separately

  14. Message Authentication Scheme 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying message authentication scheme T = MACDK (M)

  15. Addressing the Limitations • Algorithm restrictions: • arbitrary (iterated) hash function • arbitrary underlying encryption scheme • Theoretical deficiencies: • formal model / security proof for KDF • construction still has “entropy bottleneck” • but can support wider hash function • not a practical problem for passwords • Large maximum length for keys

  16. Supporting Techniques • Encryption schemes: • DES, DES-EDE3, RC2, RC5 • all in CBC mode with PKCS #5 v1.5 padding • DES-EDE2, DESX, RC4 to be added? • Message authentication schemes: • HMAC-SHA-1 • others?

  17. ASN.1 Syntax • Key derivation functions • only PBKDF2 • Encryption schemes • Message authentication schemes

  18. PBKDF2 • Generic OID: • id-pbkdf2 ::= pkcs-5.9 • Parameters: • PBKDF2-params ::= SEQUENCE { salt OCTET STRING, iterationCount INTEGER (1..), keyLength [0] INTEGER DEFAULT 16, hashFunc [1] AlgID {{pbkdf2Hashs}} DEFAULT sha1Identifier }

  19. PBES1 • Specific OIDs as in v1.5: • pbeWithMD2AndDES-CBC ::= pkcs-5.1 • pbeWithMD5AndDES-CBC ::= pkcs-5.3 • … • pbeWithSHA1AndRC2-CBC ::= pkcs-5.8 • Parameters: • PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE (8), iterationCount INTEGER}

  20. PBES2 • Generic OID: • id-pbes2 ::= pkcs-5.10 • Parameters: • PBES2-params ::= SEQUENCE { kdf AlgID {{pbes2KDFs}}, enc AlgID {{pbes2Encs}} }

  21. PBMAC1 • Generic OID: • id-pbmac1 ::= pkcs-5.11 • Parameters: • PBMAC1-params ::= SEQUENCE { kdf AlgID {{pbmac1KDFs}}, mac AlgID {{pbmac1Macs}} }

  22. Discussion • New model • New KDF • New syntax • “Pepper” and usage information • Other password-based techniques

More Related