Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKCS #5: Password-Based Cryptography Standard

Published byAmber Goodman Modified over 8 years ago

Similar presentations

Presentation on theme: "PKCS #5: Password-Based Cryptography Standard"— Presentation transcript:

1 PKCS #5: Password-Based Cryptography Standard
Burt Kaliski RSA Laboratories PKCS Workshop October 9, 1998 (with minor edits) RSA Data Security, Inc.

2 Outline Background PKCS #5 v1.5 PKCS #5 v2 draft © RSA 1998

3 Background Cryptography with a password ...
encryption message authentication identification, key establishment … has some peculiar problems: passwords are not conventional keys nor are they very “random” © RSA 1998

4 key = PBKDF (password, salt, count)
General Model Password-based key derivation: key = PBKDF (password, salt, count) salt prevents dictionary attack count complicates search key is applied to conventional cryptosystem © RSA 1998

5 PKCS #5 v1.5 Password-Based Encryption Standard
published 11/93 Two encryption schemes: MD2 with DES-CBC MD5 with DES-CBC © RSA 1998

6 PKCS #5 v1.5 Encryption Scheme
1. Generate salt S 2. Hash with password to derive key, IV: K || IV = Hashcount (P || S) 3. Pad message and encrypt: EM = M || pad C = DES-CBC (K, IV, EM) S, count, C sent to recipient © RSA 1998

7 Limitations of v1.5 Scheme
Algorithm restrictions: only two hash functions only one underlying encryption scheme includes padding, assumes CBC mode Theoretical deficiencies: no formal model or security proof for KDF construction has “entropy bottleneck” Fixed maximum length for keys © RSA 1998

8 Enhancements RSA Data Security extensions:
SHA-1 hash function RC2-CBC encryption PKCS #12 password-based schemes © RSA 1998

9 PKCS Workshop ’97 Discussion of PKCS #5 improvements Conclusions:
1. New key derivation function to be specified 2. Modular encryption, message authentication schemes parameters for underlying scheme (e.g., IV) managed separately © RSA 1998

10 PKCS #5 v2 Draft Password-Based Cryptography Standard
draft published 10/98 Several techniques: extended v1.5 and new KDF extended v1.5 and new modular encryption schemes new modular message authentication scheme © RSA 1998

11 New Key Derivation Function
PBKDF2 (P, S, c, dkLen) 1. Compute blocks T1,…,Tl as Ti = G (P, S, i, 0)    G (P, S, i, c-1) , where G (P, S, i, j) = HMACP(S || i || j). 2. Output first dkLen octets of T1 ||  || Tl. © RSA 1998

12 Motivation for PBKDF2 HMAC widely implemented, “provably secure” under reasonable assumptions arbitrary (iterated) hash function G may be viewed as a PRF XOR increases cost, preserves PRF variable length through varying i © RSA 1998

13 New Encryption Scheme 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying encryption scheme C = EncDK (M) parameters such as IV selected separately © RSA 1998

14 Message Authentication Scheme
1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying message authentication scheme T = MACDK (M) © RSA 1998

15 Addressing the Limitations
Algorithm restrictions: arbitrary (iterated) hash function arbitrary underlying encryption scheme Theoretical deficiencies: formal model / security proof for KDF construction still has “entropy bottleneck” but can support wider hash function not a practical problem for passwords Large maximum length for keys © RSA 1998

16 Supporting Techniques
Encryption schemes: DES, DES-EDE3, RC2, RC5 all in CBC mode with PKCS #5 v1.5 padding DES-EDE2, DESX, RC4 to be added? Message authentication schemes: HMAC-SHA-1 others? © RSA 1998

17 ASN.1 Syntax Key derivation functions Encryption schemes
only PBKDF2 Encryption schemes Message authentication schemes © RSA 1998

18 PBKDF2 Generic OID: Parameters: id-pbkdf2 ::= pkcs-5.9
PBKDF2-params ::= SEQUENCE { salt OCTET STRING, iterationCount INTEGER (1..), keyLength [0] INTEGER DEFAULT 16, hashFunc [1] AlgID {{pbkdf2Hashs}} DEFAULT sha1Identifier } © RSA 1998

19 PBES1 Specific OIDs as in v1.5: Parameters:
pbeWithMD2AndDES-CBC ::= pkcs-5.1 pbeWithMD5AndDES-CBC ::= pkcs-5.3 pbeWithSHA1AndRC2-CBC ::= pkcs-5.8 Parameters: PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE (8), iterationCount INTEGER} © RSA 1998

20 PBES2 Generic OID: Parameters: id-pbes2 ::= pkcs-5.10
PBES2-params ::= SEQUENCE { kdf AlgID {{pbes2KDFs}}, enc AlgID {{pbes2Encs}} } © RSA 1998

21 PBMAC1 Generic OID: Parameters: id-pbmac1 ::= pkcs-5.11
PBMAC1-params ::= SEQUENCE { kdf AlgID {{pbmac1KDFs}}, mac AlgID {{pbmac1Macs}} } © RSA 1998

22 Discussion New model New KDF New syntax “Pepper” and usage information
Other password-based techniques © RSA 1998

Download ppt "PKCS #5: Password-Based Cryptography Standard"

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Symmetric Message Authentication Codes Prof. Ravi Sandhu.

Symmetric Message Authentication Codes Prof. Ravi Sandhu.
XML Encryption and Derived Keys: Suggestion For a Minor Addition Magnus Nyström RSA.

XML Encryption and Derived Keys: Suggestion For a Minor Addition Magnus Nyström RSA.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Block and Stream Ciphers1 Reference –Matt Bishop, Computer Security, Addison Wesley, 2003.

Block and Stream Ciphers1 Reference –Matt Bishop, Computer Security, Addison Wesley, 2003.

Similar presentations

Ads by Google