220 likes | 532 Views
PKCS #5: Password-Based Cryptography Standard. Burt Kaliski RSA Laboratories PKCS Workshop October 9, 1998 (with minor edits). Outline. Background PKCS #5 v1.5 PKCS #5 v2 draft. Background. Cryptography with a password ... encryption message authentication
E N D
PKCS #5: Password-Based Cryptography Standard Burt Kaliski RSA Laboratories PKCS Workshop October 9, 1998(with minor edits) RSA Data Security, Inc.
Outline • Background • PKCS #5 v1.5 • PKCS #5 v2 draft
Background • Cryptography with a password ... • encryption • message authentication • identification, key establishment • … has some peculiar problems: • passwords are not conventional keys • nor are they very “random”
General Model • Password-based key derivation: key = PBKDF (password, salt, count) • salt prevents dictionary attack • count complicates search • key is applied to conventional cryptosystem
PKCS #5 v1.5 • Password-Based Encryption Standard • published 11/93 • Two encryption schemes: • MD2 with DES-CBC • MD5 with DES-CBC
PKCS #5 v1.5 Encryption Scheme 1. Generate salt S 2. Hash with password to derive key, IV: K || IV = Hashcount(P || S) 3. Pad message and encrypt: EM = M || padC = DES-CBC (K, IV, EM) • S, count, C sent to recipient
Limitations of v1.5 Scheme • Algorithm restrictions: • only two hash functions • only one underlying encryption scheme • includes padding, assumes CBC mode • Theoretical deficiencies: • no formal model or security proof for KDF • construction has “entropy bottleneck” • Fixed maximum length for keys
Enhancements • RSA Data Security extensions: • SHA-1 hash function • RC2-CBC encryption • PKCS #12 password-based schemes
PKCS Workshop ’97 • Discussion of PKCS #5 improvements • Conclusions: 1. New key derivation function to be specified 2. Modular encryption, message authentication schemes • parameters for underlying scheme (e.g., IV) managed separately
PKCS #5 v2 Draft • Password-Based Cryptography Standard • draft published 10/98 • Several techniques: • extended v1.5 and new KDF • extended v1.5 and new modular encryption schemes • new modular message authentication scheme
New Key Derivation Function PBKDF2 (P, S, c, dkLen) 1. Compute blocks T1,…,Tl as Ti = G (P, S, i, 0) G (P, S, i, c-1) , where G (P, S, i, j) = HMACP(S || i || j). 2. Output first dkLen octets of T1 || || Tl.
Motivation for PBKDF2 • HMAC widely implemented, “provably secure” under reasonable assumptions • arbitrary (iterated) hash function • G may be viewed as a PRF • XOR increases cost, preserves PRF • variable length through varying i
New Encryption Scheme 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying encryption scheme C = EncDK (M) • parameters such as IV selected separately
Message Authentication Scheme 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying message authentication scheme T = MACDK (M)
Addressing the Limitations • Algorithm restrictions: • arbitrary (iterated) hash function • arbitrary underlying encryption scheme • Theoretical deficiencies: • formal model / security proof for KDF • construction still has “entropy bottleneck” • but can support wider hash function • not a practical problem for passwords • Large maximum length for keys
Supporting Techniques • Encryption schemes: • DES, DES-EDE3, RC2, RC5 • all in CBC mode with PKCS #5 v1.5 padding • DES-EDE2, DESX, RC4 to be added? • Message authentication schemes: • HMAC-SHA-1 • others?
ASN.1 Syntax • Key derivation functions • only PBKDF2 • Encryption schemes • Message authentication schemes
PBKDF2 • Generic OID: • id-pbkdf2 ::= pkcs-5.9 • Parameters: • PBKDF2-params ::= SEQUENCE { salt OCTET STRING, iterationCount INTEGER (1..), keyLength [0] INTEGER DEFAULT 16, hashFunc [1] AlgID {{pbkdf2Hashs}} DEFAULT sha1Identifier }
PBES1 • Specific OIDs as in v1.5: • pbeWithMD2AndDES-CBC ::= pkcs-5.1 • pbeWithMD5AndDES-CBC ::= pkcs-5.3 • … • pbeWithSHA1AndRC2-CBC ::= pkcs-5.8 • Parameters: • PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE (8), iterationCount INTEGER}
PBES2 • Generic OID: • id-pbes2 ::= pkcs-5.10 • Parameters: • PBES2-params ::= SEQUENCE { kdf AlgID {{pbes2KDFs}}, enc AlgID {{pbes2Encs}} }
PBMAC1 • Generic OID: • id-pbmac1 ::= pkcs-5.11 • Parameters: • PBMAC1-params ::= SEQUENCE { kdf AlgID {{pbmac1KDFs}}, mac AlgID {{pbmac1Macs}} }
Discussion • New model • New KDF • New syntax • “Pepper” and usage information • Other password-based techniques