PKCS #5: Password-Based Cryptography Standard

Slides:

Advertisements

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Advertisements

Symmetric Message Authentication Codes Prof. Ravi Sandhu.

XML Encryption and Derived Keys: Suggestion For a Minor Addition Magnus Nyström RSA.

Lecture 5: Cryptographic Hashes

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Digital Signatures and Hash Functions. Digital Signatures.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :

CMSC 456 Introduction to Cryptography

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Block and Stream Ciphers1 Reference –Matt Bishop, Computer Security, Addison Wesley, 2003.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh.

1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden

Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.

Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.

TLS 1.2 and NIST SP A Tim Polk November 10, 2006.

CMS Interoperability Matrix Jim Schaad Soaring Hawk Security.

Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.

Hash and MAC Algorithms Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther Aldwairi.

S. Muftic Computer Networks Security 1 Lecture 4: Message Confidentiality and Message Integrity Prof. Sead Muftic.

CS 4/585: Cryptography Tom Shrimpton FAB

PKCS #1 v2.1: RSA Cryptography Standard

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.

RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.

Chapter 21 Public-Key Cryptography and Message Authentication.

On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.

XML Encryption, XML Signature, and Derived Keys: Suggestion For a Minor Addition Magnus Nyström RSA.

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.

PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000.

Cryptography and Network Security Chapter 12 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”

Cryptography and Network Security (CS435) Part Nine (Message Authentication)

By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.

Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2014 Nitesh Saxena.

Project: Simulated Encrypted File System (SEFS) Omar Chowdhury Fall 2015CS526: Information Security1.

ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.

IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.

Homework #2 J. H. Wang Oct. 31, 2012.

TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.

PKCS #5 v2.0: Password-Based Cryptography Standard

1 Randomized Hashing: Secure Digital Signatures without Collision Resistance Shai Halevi and Hugo Krawczyk IBM Research

Cryptography CSS 329 Lecture 13:SSL.

CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.

RSA Laboratories’ PKCS Series - a Tutorial

Chapter 12 – Hash Algorithms

RSA Laboratories’ PKCS Series - a Tutorial

PKCS #14: Pseudo-Random Number Generation

RSA Laboratories’ PKCS Series - a Tutorial

Dan Brown, Certicom Research November 10, 2004

Cryptography Lecture 13.

Cryptography Lecture 12.

Cryptography Lecture 12.

Topic 13: Message Authentication Code

Cryptography Lecture 14.

Cryptography Lecture 13.

Cryptography Lecture 13.

Presentation transcript:

PKCS #5: Password-Based Cryptography Standard Burt Kaliski RSA Laboratories PKCS Workshop October 9, 1998 (with minor edits) RSA Data Security, Inc.

Outline Background PKCS #5 v1.5 PKCS #5 v2 draft © RSA 1998

Background Cryptography with a password ... encryption message authentication identification, key establishment … has some peculiar problems: passwords are not conventional keys nor are they very “random” © RSA 1998

key = PBKDF (password, salt, count) General Model Password-based key derivation: key = PBKDF (password, salt, count) salt prevents dictionary attack count complicates search key is applied to conventional cryptosystem © RSA 1998

PKCS #5 v1.5 Password-Based Encryption Standard published 11/93 Two encryption schemes: MD2 with DES-CBC MD5 with DES-CBC © RSA 1998

PKCS #5 v1.5 Encryption Scheme 1. Generate salt S 2. Hash with password to derive key, IV: K || IV = Hashcount (P || S) 3. Pad message and encrypt: EM = M || pad C = DES-CBC (K, IV, EM) S, count, C sent to recipient © RSA 1998

Limitations of v1.5 Scheme Algorithm restrictions: only two hash functions only one underlying encryption scheme includes padding, assumes CBC mode Theoretical deficiencies: no formal model or security proof for KDF construction has “entropy bottleneck” Fixed maximum length for keys © RSA 1998

Enhancements RSA Data Security extensions: SHA-1 hash function RC2-CBC encryption PKCS #12 password-based schemes © RSA 1998

PKCS Workshop ’97 Discussion of PKCS #5 improvements Conclusions: 1. New key derivation function to be specified 2. Modular encryption, message authentication schemes parameters for underlying scheme (e.g., IV) managed separately © RSA 1998

PKCS #5 v2 Draft Password-Based Cryptography Standard draft published 10/98 Several techniques: extended v1.5 and new KDF extended v1.5 and new modular encryption schemes new modular message authentication scheme © RSA 1998

New Key Derivation Function PBKDF2 (P, S, c, dkLen) 1. Compute blocks T1,…,Tl as Ti = G (P, S, i, 0)    G (P, S, i, c-1) , where G (P, S, i, j) = HMACP(S || i || j). 2. Output first dkLen octets of T1 ||  || Tl. © RSA 1998

Motivation for PBKDF2 HMAC widely implemented, “provably secure” under reasonable assumptions arbitrary (iterated) hash function G may be viewed as a PRF XOR increases cost, preserves PRF variable length through varying i © RSA 1998

New Encryption Scheme 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying encryption scheme C = EncDK (M) parameters such as IV selected separately © RSA 1998

Message Authentication Scheme 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying message authentication scheme T = MACDK (M) © RSA 1998

Addressing the Limitations Algorithm restrictions: arbitrary (iterated) hash function arbitrary underlying encryption scheme Theoretical deficiencies: formal model / security proof for KDF construction still has “entropy bottleneck” but can support wider hash function not a practical problem for passwords Large maximum length for keys © RSA 1998

Supporting Techniques Encryption schemes: DES, DES-EDE3, RC2, RC5 all in CBC mode with PKCS #5 v1.5 padding DES-EDE2, DESX, RC4 to be added? Message authentication schemes: HMAC-SHA-1 others? © RSA 1998

ASN.1 Syntax Key derivation functions Encryption schemes only PBKDF2 Encryption schemes Message authentication schemes © RSA 1998

PBKDF2 Generic OID: Parameters: id-pbkdf2 ::= pkcs-5.9 PBKDF2-params ::= SEQUENCE { salt OCTET STRING, iterationCount INTEGER (1..), keyLength [0] INTEGER DEFAULT 16, hashFunc [1] AlgID {{pbkdf2Hashs}} DEFAULT sha1Identifier } © RSA 1998

PBES1 Specific OIDs as in v1.5: Parameters: pbeWithMD2AndDES-CBC ::= pkcs-5.1 pbeWithMD5AndDES-CBC ::= pkcs-5.3 … pbeWithSHA1AndRC2-CBC ::= pkcs-5.8 Parameters: PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE (8), iterationCount INTEGER} © RSA 1998

PBES2 Generic OID: Parameters: id-pbes2 ::= pkcs-5.10 PBES2-params ::= SEQUENCE { kdf AlgID {{pbes2KDFs}}, enc AlgID {{pbes2Encs}} } © RSA 1998

PBMAC1 Generic OID: Parameters: id-pbmac1 ::= pkcs-5.11 PBMAC1-params ::= SEQUENCE { kdf AlgID {{pbmac1KDFs}}, mac AlgID {{pbmac1Macs}} } © RSA 1998

Discussion New model New KDF New syntax “Pepper” and usage information Other password-based techniques © RSA 1998