Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKCS #5 v2.0: Password-Based Cryptography Standard

Published byCameron Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "PKCS #5 v2.0: Password-Based Cryptography Standard"— Presentation transcript:

1 PKCS #5 v2.0: Password-Based Cryptography Standard
Burt Kaliski, RSA Laboratories PKCS Workshop, 29 September 1999

2 Outline Background PKCS #5 v1.5 PKCS #5 v2.0 Generating salt
Possible future work

3 Background Cryptography with a password ...
encryption message authentication identification, key establishment … has some peculiar problems: passwords are not conventional keys nor are they very “random”

4 key = PBKDF (password, salt, count)
General Model Password-based key derivation: key = PBKDF (password, salt, count) salt prevents dictionary attack count complicates search key is applied to conventional cryptosystem

5 PKCS #5 v1.5 Password-Based Encryption Standard
published November 1993 Two encryption schemes: MD2 with DES-CBC MD5 with DES-CBC

6 PKCS #5 v1.5 Encryption Scheme
Encryption operation 1. Generate salt S 2. Hash with password to derive key, IV: K || IV = Hashcount (P || S) 3. Pad message and encrypt: EM = M || pad C = DES-CBC (K, IV, EM) S, count, C sent to recipient Decryption is similar

7 Limitations of v1.5 Scheme
Algorithm restrictions: only two hash functions only one underlying encryption scheme includes padding, assumes CBC mode Theoretical deficiencies: no formal model or security proof for KDF construction has “entropy bottleneck” Fixed maximum length for keys

8 Enhancements Before v2.0 RSA Data Security extensions:
SHA-1 hash function RC2-CBC encryption PKCS #12 password-based schemes

9 PKCS Workshops ’97, ’98 Discussion of PKCS #5 improvements, proposed draft Conclusions: 1. New key derivation function to be specified 2. Modular encryption, message authentication schemes parameters for underlying scheme (e.g., IV) managed separately

10 PKCS #5 v2.0 Password-Based Cryptography Standard Several techniques:
published March 1999 Several techniques: extended v1.5 and new KDF extended v1.5 and new modular encryption schemes new modular message authentication scheme New schemes are recommended for new applications

11 New Key Derivation Function
PBKDF2 (P, S, c, dkLen) 1. Compute blocks T1,…,Tl by iterated construction: U1 = G (P, S || Int (i)) , U2 = G (P, U1) , …, Uc = G (P, Uc-1) Ti = U1 \xor U2 \xor  \xor Uc 2. Output first dkLen octets of T1 ||  || Tl G is underlying pseudorandom function

12 Motivation for PBKDF2 “Belt-and-suspenders” approach:
Ui values are computed recursively to remove a degree of parallelism different than PKCS ’98 proposal, which computed them independently as Uj = G (P, S || Int (i) || Int (j)) XOR reduces concerns about the recursion degenerating into a small set of values (Potentially) provably secure under reasonable assumptions on pseudorandom function G Variable length through varying i

13 New Encryption Scheme Encryption operation
1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying encryption scheme C = EncDK (M) parameters such as IV selected as part of underlying scheme Decryption is similar

14 Message Authentication Scheme
MAC generation operation 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying message authentication scheme T = MACDK (M) MAC verification is similar

15 Addressing the Limitations
Algorithm restrictions: arbitrary (iterated) pseudorandom function arbitrary underlying encryption scheme Theoretical deficiencies: formal model / (potential) security proof for KDF construction still has “entropy bottleneck” but can support wider hash function not a practical problem for passwords Large maximum length for keys

16 Supporting Techniques
Pseudorandom functions: HMAC-SHA-1 where message is index Encryption schemes: DES, DES-EDE3, RC2, RC5 all in CBC mode with PKCS #5 v1.5 padding DES-EDE2, DESX, RC4 could potentially be added Message authentication schemes: HMAC-SHA-1

17 ASN.1 Syntax Key derivation functions Encryption schemes
only PBKDF2 Encryption schemes PBES1 and PBES2 Message authentication scheme (and pseudorandom function) PBMAC1

18 PBKDF2 Generic OID: Parameters: id-pbkdf2 ::= pkcs-5.12
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgID {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgID {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }

19 PBES1 Specific OIDs as in v1.5: Parameters:
pbeWithMD2AndDES-CBC ::= pkcs-5.1 pbeWithMD5AndDES-CBC ::= pkcs-5.3 pbeWithSHA1AndRC2-CBC ::= pkcs-5.11 Parameters: PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE (8), iterationCount INTEGER }

20 PBES2 Generic OID: Parameters: id-pbes2 ::= pkcs-5.13
PBES2-params ::= SEQUENCE { kdf AlgID {{PBES2-KDFs}}, enc AlgID {{PBES2-Encs}} }

21 PBMAC1 Generic OID: Parameters: id-pbmac1 ::= pkcs-5.14
PBMAC1-params ::= SEQUENCE { kdf AlgID {{PBMAC1-KDFs}}, mac AlgID {{PBMAC1-MACs}} }

22 Generating Salt Primary purpose of salt is to increase difficulty of precomputation attacks Secondary purpose is to separate keys generated at different times A random salt assures the one who generated it that these goals are achieved, but not necessarily the one who receives it i.e., the party decrypting a ciphertext or verifying a MAC is not assured that separate keys were employed

23 Exploiting Ambiguity Suppose a password is employed for two algorithms with different key lengths, and the salt does not distinguish between them Then for a given salt, the key for one algorithm will be a prefix of the key for the other Suppose also that an opponent can solve for the shorter key by a chosen ciphertext attack Then the opponent can also solve for the longer key by guessing the rest of it: “divide-and-conquer” Similar concerns for other kinds of interaction

24 Salt Recommendations If interactions are not a concern (e.g., password is always employed with the same algorithm), then a random salt is sufficient at least 64 bits recommended If they are, then the salt should also contain some structure, e.g., an algorithm identifier and/or a sequence number that can be checked by the party receiving the key

25 Possible Future Work Structure for salt value
basically, key derivation parameters for KDF “Pepper” variants where part of salt is secret several references in literature Public-key password-based techniques password-based entity authentication and key establishment password-based private-key downloading

Download ppt "PKCS #5 v2.0: Password-Based Cryptography Standard"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Similar presentations

Ads by Google