1、简介
基于密码的加密,涵盖以下方面:
- 密钥导出函数
- 加密方案
- 消息认证方案
- ASN.1语法
2、符号
C ciphertext, an octet string
c iteration count, a positive integer
c iteration count, a positive integer
DK derived key, an octet string
dkLen length in octets of derived key, a positive integer
KDF
密钥导出函数 key derivation function
PRF
伪随机函数 pseudorandom function
PS
填充字符串 padding string, an octet string
M message, an octet string
P password, an octet string
P password, an octet string
S salt, an octet string
T message authentication code, an octet string
T message authentication code, an octet string
4、Salt值和迭代计数
4.1、Salt值
The
salt can be viewed as an index into a large set of keys derived from the password, and need not be kept secret.
Salt值是一个索引,在一个大量的密码集合中,根据Salt值随机选择一个
DK = KDF (P, S)
DK是导出密钥,P是密码,S是Salt值
当随机发生器或者伪随机发生器不可用时,Salt值可以用密钥导出函数S = KDF(P,M)来计算。(不推荐,因为只存在少量的salt值可用)
4.2、迭代计数
迭代计数传统上用于增加从密码产生密钥的成本,从而也增加了攻击的难度。
建议至少进行1000次迭代。
5、密钥导出函数KDF
密钥导出函数从基本密钥和其他参数产生导出密钥。 在基于密码的密钥导出函数中,基本密钥是密码,其他参数是Salt值和迭代计数
这里定义的基于密码的密钥导出函数的主要应用是在第6节中的加密方案和第7节中的消息认证方案。
本节中指定了两个函数:PBKDF1和PBKDF2。
这里定义的密钥导出函数的典型应用可能包括以下步骤:
1.选择Salt值和迭代计数c。
2.为派生密钥dkLen选择八位字节的长度。
3.密钥导出函数需要 密码、Salt值、迭代计数和生成导出密钥的密钥长度。
4.输出导出密钥。
1.选择Salt值和迭代计数c。
2.为派生密钥dkLen选择八位字节的长度。
3.密钥导出函数需要 密码、Salt值、迭代计数和生成导出密钥的密钥长度。
4.输出导出密钥。
5.1、PBKDF1
PBKDF1使用散列函数,MD2 [6],MD5 [19]或SHA-1 [18],以导出密钥。
导出密钥的长度由散列函数输出的长度限定,其对于MD2和MD5是16个八位字节,对于SHA-1是20个八位字节。
PBKDF1 (P, S, c, dkLen)
Options: Hash underlying hash function
Input: P password, an octet string
S salt, an eight-octet string
c iteration count, a positive integer
dkLen intended length in octets of derived key, a positive integer, at most 16 for MD2 or MD5 and 20 for SHA-1
Output: DK derived key, a dkLen-octet string
Steps:
1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output "derived key too long" and stop.
1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output "derived key too long" and stop.
2. Apply the underlying hash function Hash for c iterations to the concatenation of the password P and the salt S, then extract the first dkLen octets to produce a derived key DK:
T_1 = Hash (P || S) ,
T_2 = Hash (T_1) ,
...
T_c = Hash (T_{c-1}) ,
DK = Tc<0..dkLen-1>
T_1 = Hash (P || S) ,
T_2 = Hash (T_1) ,
...
T_c = Hash (T_{c-1}) ,
DK = Tc<0..dkLen-1>
3. Output the derived key DK.
5.2、PBKDF2
PBKDF2使用伪随机函数(参见附录B.1)来导出密钥。 导出密钥的长度基本上是无限的。
PBKDF2 (P, S, c, dkLen)
Options: PRF 基础伪随机函数(heLen表示伪随机函数输出的八位字节中的长度)
Input: P password, an octet string
S salt, an octet string
c iteration count, a positive integer
dkLen intended length in octets of the derived key, a positive integer, at most (2^32 - 1) * hLen
Output: DK derived key, a dkLen-octet string
Steps:
1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop.
1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop.
2. Let l be the number of hLen-octet blocks in the derived key, rounding up, and let r be the number of octets in the last block:
l = CEIL (dkLen / hLen) ,
r = dkLen - (l - 1) * hLen .
r = dkLen - (l - 1) * hLen .
Here, CEIL (x) is the "ceiling" function, i.e. the smallest integer greater than, or equal to, x.
3. For each block of the derived key apply the function F defined below to the password P, the salt S, the iteration count c, and the block index to compute the block:
T_1 = F (P, S, c, 1) ,
T_2 = F (P, S, c, 2) ,
...
T_l = F (P, S, c, l) ,
T_2 = F (P, S, c, 2) ,
...
T_l = F (P, S, c, l) ,
where the function F is defined as the exclusive-or sum of the first c iterates of the underlying pseudorandom function PRF applied to the password P and the concatenation of the salt S and the block index i:
F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
where
U_1 = PRF (P, S || INT (i)) ,
U_2 = PRF (P, U_1) ,
...
U_c = PRF (P, U_{c-1}) .
where
U_1 = PRF (P, S || INT (i)) ,
U_2 = PRF (P, U_1) ,
...
U_c = PRF (P, U_{c-1}) .
Here, INT (i) is a four-octet encoding of the integer i, most significant octet first.
4. Concatenate the blocks and extract the first dkLen octets to produce a derived key DK:
DK = T_1 || T_2 || ... || T_l<0..r-1>
5. Output the derived key DK.