RSA Laboratories’ PKCS Series - a Tutorial Magnus Nyström, October, 1999
Password-Based Cryptography Standard Recommendations for the implementation of password-based cryptography, covering: key establishment encryption schemes message-authentication schemes ASN.1 syntax identifying the techniques Generally oriented towards protection of private keys No guidelines for selection of passwords
Background Cryptography with a password ... identification, key establishment encryption message authentication … has some peculiar problems: passwords are not conventional keys nor are they very “random”
General Model Password-based key derivation: key = PBKDF (password, salt, iterations) A salt serves to produce many keys from a given password (thwarting dictionary attacks) But it does not protect against an attacker able to choose the salt Iterations increase the cost for an attacker having to try many passwords
Key Derivation Functions PBKDF1 - Password-based key derivation function #1 The “original” PBKDF Can’t generate keys longer than 20 bytes DK || IV = Hashiterations(Password||Salt) Limitations: only two hash functions assumes cipher in CBC mode and 8-byte salt no security proof entropy bottleneck fixed maximum length for keys
Key Derivation Functions, II PBKDF2 New in version 2.0 of PKCS #5 “Belts-and-suspenders”-approach (protect both against parallel attacks and the recursion present in PBKDF1 DK = T1 || T2 || … || Tn Ti = f(Password, Salt, Iterations, i) f(Password,Salt, Iterations, i) = U1 XOR U2 XOR Uiterations U1 = PRF(Password, Salt || i) Ui = PRF(Password, Ui-1) PRF is most likely hMAC Restricts search space for an unknown key to 160 bits, however
Motivations for PBKDF2 Provably secure under reasonable assumptions on the pseudorandom function PRF Variable output length
Encryption Schemes PBES1 PBES2 Basically PBKDF1 in combination with DES or RC2-CBC New applications should favor PBES2 PBES2 Combination of PBKDF2 with some underlying encryption scheme
Message Authentication Schemes PBMAC1 PBKDF2 together with some underlying MAC scheme
More information PKCS #5 v2.0 is available from http://www.rsasecurity.com/rsalabs/pkcs