Network Working Group B. Kaliski Request for Comments: 2898 RSA Laboratories Category: Informational September 2000
Network Working Group B. Kaliski Request for Comments: 2898 RSA Laboratories Category: Informational September 2000
PKCS #5: Password-Based Cryptography Specification Version 2.0
PKCS#5:基于密码的加密规范2.0版
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
Abstract
摘要
This memo represents a republication of PKCS #5 v2.0 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from that specification.
本备忘录是RSA Laboratories公钥加密标准(PKCS)系列中PKCS#5 v2.0的再版,PKCS过程中保留更改控制。除安全注意事项部分外,本文档正文直接取自该规范。
This document provides recommendations for the implementation of password-based cryptography, covering key derivation functions, encryption schemes, message-authentication schemes, and ASN.1 syntax identifying the techniques.
本文档为基于密码的加密技术的实现提供了建议,包括密钥派生函数、加密方案、消息身份验证方案和识别技术的ASN.1语法。
The recommendations are intended for general application within computer and communications systems, and as such include a fair amount of flexibility. They are particularly intended for the protection of sensitive information such as private keys, as in PKCS #8 [25]. It is expected that application standards and implementation profiles based on these specifications may include additional constraints.
这些建议适用于计算机和通信系统中的一般应用,因此具有相当大的灵活性。它们特别用于保护敏感信息,如PKCS#8[25]中的私钥。预计基于这些规范的应用标准和实现概要可能包括附加约束。
Other cryptographic techniques based on passwords, such as password-based key entity authentication and key establishment protocols [4][5][26] are outside the scope of this document. Guidelines for the selection of passwords are also outside the scope.
其他基于密码的加密技术,如基于密码的密钥实体认证和密钥建立协议[4][5][26]不在本文件的范围内。选择密码的指南也不在范围之内。
Table of Contents
目录
1. Introduction ............................................... 3 2. Notation ................................................... 3 3. Overview ................................................... 4 4. Salt and iteration count ................................... 6 4.1 Salt ................................................... 6 4.2 Iteration count ........................................ 8 5. Key derivation functions ................................... 8 5.1 PBKDF1 ................................................. 9 5.2 PBKDF2 ................................................. 9 6. Encryption schemes ......................................... 11 6.1 PBES1 .................................................. 12 6.1.1 Encryption operation ............................ 12 6.1.2 Decryption operation ............................ 13 6.2 PBES2 .................................................. 14 6.2.1 Encryption operation ............................ 14 6.2.2 Decryption operation ............................ 15 7. Message authentication schemes ............................. 15 7.1 PBMAC1 ................................................. 16 7.1.1 MAC generation .................................. 16 7.1.2 MAC verification ................................ 16 8. Security Considerations .................................... 17 9. Author's Address............................................ 17 A. ASN.1 syntax ............................................... 18 A.1 PBKDF1 ................................................. 18 A.2 PBKDF2 ................................................. 18 A.3 PBES1 .................................................. 20 A.4 PBES2 .................................................. 20 A.5 PBMAC1 ................................................. 21 B. Supporting techniques ...................................... 22 B.1 Pseudorandom functions ................................. 22 B.2 Encryption schemes ..................................... 23 B.3 Message authentication schemes ......................... 26 C. ASN.1 module ............................................... 26 Intellectual Property Considerations ............................ 30 Revision history ................................................ 30 References ...................................................... 31 Contact Information & About PKCS ................................ 33 Full Copyright Statement ........................................ 34
1. Introduction ............................................... 3 2. Notation ................................................... 3 3. Overview ................................................... 4 4. Salt and iteration count ................................... 6 4.1 Salt ................................................... 6 4.2 Iteration count ........................................ 8 5. Key derivation functions ................................... 8 5.1 PBKDF1 ................................................. 9 5.2 PBKDF2 ................................................. 9 6. Encryption schemes ......................................... 11 6.1 PBES1 .................................................. 12 6.1.1 Encryption operation ............................ 12 6.1.2 Decryption operation ............................ 13 6.2 PBES2 .................................................. 14 6.2.1 Encryption operation ............................ 14 6.2.2 Decryption operation ............................ 15 7. Message authentication schemes ............................. 15 7.1 PBMAC1 ................................................. 16 7.1.1 MAC generation .................................. 16 7.1.2 MAC verification ................................ 16 8. Security Considerations .................................... 17 9. Author's Address............................................ 17 A. ASN.1 syntax ............................................... 18 A.1 PBKDF1 ................................................. 18 A.2 PBKDF2 ................................................. 18 A.3 PBES1 .................................................. 20 A.4 PBES2 .................................................. 20 A.5 PBMAC1 ................................................. 21 B. Supporting techniques ...................................... 22 B.1 Pseudorandom functions ................................. 22 B.2 Encryption schemes ..................................... 23 B.3 Message authentication schemes ......................... 26 C. ASN.1 module ............................................... 26 Intellectual Property Considerations ............................ 30 Revision history ................................................ 30 References ...................................................... 31 Contact Information & About PKCS ................................ 33 Full Copyright Statement ........................................ 34
This document provides recommendations for the implementation of password-based cryptography, covering the following aspects:
本文件提供了实施基于密码的加密的建议,包括以下方面:
- key derivation functions - encryption schemes - message-authentication schemes - ASN.1 syntax identifying the techniques
- 密钥派生函数.加密方案.消息认证方案.识别技术的ASN.1语法
The recommendations are intended for general application within computer and communications systems, and as such include a fair amount of flexibility. They are particularly intended for the protection of sensitive information such as private keys, as in PKCS #8 [25]. It is expected that application standards and implementation profiles based on these specifications may include additional constraints.
这些建议适用于计算机和通信系统中的一般应用,因此具有相当大的灵活性。它们特别用于保护敏感信息,如PKCS#8[25]中的私钥。预计基于这些规范的应用标准和实现概要可能包括附加约束。
Other cryptographic techniques based on passwords, such as password-based key entity authentication and key establishment protocols [4][5][26] are outside the scope of this document. Guidelines for the selection of passwords are also outside the scope.
其他基于密码的加密技术,如基于密码的密钥实体认证和密钥建立协议[4][5][26]不在本文件的范围内。选择密码的指南也不在范围之内。
This document supersedes PKCS #5 version 1.5 [24], but includes compatible techniques.
本文件取代PKCS第5版1.5[24],但包含兼容技术。
C ciphertext, an octet string
C密文,一个八位字符串
c iteration count, a positive integer
c迭代计数,一个正整数
DK derived key, an octet string
DK派生键,八位字节字符串
dkLen length in octets of derived key, a positive integer
dkLen派生密钥的八位字节长度,一个正整数
EM encoded message, an octet string
EM编码消息,八位字节字符串
Hash underlying hash function
哈希底层哈希函数
hLen length in octets of pseudorandom function output, a positive integer
hLen长度以八位字节为单位的伪随机函数输出,为正整数
l length in blocks of derived key, a positive integer
l派生密钥块的长度,正整数
IV initialization vector, an octet string
IV初始化向量,八位字节字符串
K encryption key, an octet string
K加密密钥,八位字节字符串
KDF key derivation function
KDF密钥派生函数
M message, an octet string
M消息,八位字节字符串
P password, an octet string
P密码,一个八位字节字符串
PRF underlying pseudorandom function
伪随机函数
PS padding string, an octet string
PS填充字符串,八位字节字符串
psLen length in octets of padding string, a positive integer
psLen填充字符串的八位字节长度,一个正整数
S salt, an octet string
S salt,一个八进制字符串
T message authentication code, an octet string
T消息身份验证码,八位字节字符串
T_1, ..., T_l, U_1, ..., U_c intermediate values, octet strings
T_1,…,T_l,U_1,…,U_c中间值,八位字符串
01, 02, ..., 08 octets with value 1, 2, ..., 8
01,02,…,08八位字节,值为1,2,…,8
\xor bit-wise exclusive-or of two octet strings
\两个八位字符串的异或按位异或
|| || octet length operator
|| || octet length operator
|| concatenation operator
||串联运算符
<i..j> substring extraction operator: extracts octets i through j, 0 <= i <= j
<i..j> substring extraction operator: extracts octets i through j, 0 <= i <= j
In many applications of public-key cryptography, user security is ultimately dependent on one or more secret text values or passwords. Since a password is not directly applicable as a key to any conventional cryptosystem, however, some processing of the password is required to perform cryptographic operations with it. Moreover, as passwords are often chosen from a relatively small space, special care is required in that processing to defend against search attacks.
在公钥密码的许多应用中,用户安全最终取决于一个或多个密文值或密码。然而,由于密码不能直接用作任何传统密码系统的密钥,因此需要对密码进行一些处理以对其执行加密操作。此外,由于密码通常是从相对较小的空间中选择的,因此在处理过程中需要特别小心,以防搜索攻击。
A general approach to password-based cryptography, as described by Morris and Thompson [8] for the protection of password tables, is to combine a password with a salt to produce a key. The salt can be viewed as an index into a large set of keys derived from the password, and need not be kept secret. Although it may be possible for an opponent to construct a table of possible passwords (a so-called "dictionary attack"), constructing a table of possible keys
Morris和Thompson[8]为保护密码表而描述的基于密码的加密的一般方法是将密码与salt结合起来生成密钥。salt可以看作是从密码派生的一大组密钥的索引,不需要保密。尽管对手可能会构造一个可能的密码表(所谓的“字典攻击”),但也可能会构造一个可能的密钥表
will be difficult, since there will be many possible keys for each password. An opponent will thus be limited to searching through passwords separately for each salt.
这将很困难,因为每个密码都有许多可能的密钥。因此,对手只能分别搜索每种盐的密码。
Another approach to password-based cryptography is to construct key derivation techniques that are relatively expensive, thereby increasing the cost of exhaustive search. One way to do this is to include an iteration count in the key derivation technique, indicating how many times to iterate some underlying function by which keys are derived. A modest number of iterations, say 1000, is not likely to be a burden for legitimate parties when computing a key, but will be a significant burden for opponents.
另一种基于密码的加密方法是构造相对昂贵的密钥派生技术,从而增加穷举搜索的成本。实现这一点的一种方法是在键派生技术中包含一个迭代计数,指示迭代某个派生键的底层函数的次数。在计算密钥时,适度的迭代次数(比如1000次)不太可能成为合法方的负担,但会成为对手的重大负担。
Salt and iteration count formed the basis for password-based encryption in PKCS #5 v1.5, and adopted here as well for the various cryptographic operations. Thus, password-based key derivation as defined here is a function of a password, a salt, and an iteration count, where the latter two quantities need not be kept secret.
Salt和迭代计数构成了PKCS#5 v1.5中基于密码的加密的基础,在这里也用于各种加密操作。因此,这里定义的基于密码的密钥派生是密码、salt和迭代计数的函数,其中后两个量不需要保密。
From a password-based key derivation function, it is straightforward to define password-based encryption and message authentication schemes. As in PKCS #5 v1.5, the password-based encryption schemes here are based on an underlying, conventional encryption scheme, where the key for the conventional scheme is derived from the password. Similarly, the password-based message authentication scheme is based on an underlying conventional scheme. This two-layered approach makes the password-based techniques modular in terms of the underlying techniques they can be based on.
通过基于密码的密钥派生函数,可以直接定义基于密码的加密和消息身份验证方案。与PKCS#5 v1.5一样,此处基于密码的加密方案基于底层的常规加密方案,其中常规方案的密钥来自密码。类似地,基于口令的消息认证方案基于底层传统方案。这种两层的方法使得基于密码的技术在它们可以基于的底层技术方面模块化。
It is expected that the password-based key derivation functions may find other applications than just the encryption and message authentication schemes defined here. For instance, one might derive a set of keys with a single application of a key derivation function, rather than derive each key with a separate application of the function. The keys in the set would be obtained as substrings of the output of the key derivation function. This approach might be employed as part of key establishment in a session-oriented protocol. Another application is password checking, where the output of the key derivation function is stored (along with the salt and iteration count) for the purposes of subsequent verification of a password.
预期基于密码的密钥派生函数可能会找到除此处定义的加密和消息身份验证方案之外的其他应用程序。例如,可以使用密钥派生函数的单个应用程序派生一组密钥,而不是使用函数的单独应用程序派生每个密钥。集合中的键将作为键派生函数输出的子串获得。这种方法可以作为面向会话协议中密钥建立的一部分。另一个应用程序是密码检查,其中存储密钥派生函数的输出(以及salt和迭代计数),以便随后验证密码。
Throughout this document, a password is considered to be an octet string of arbitrary length whose interpretation as a text string is unspecified. In the interest of interoperability, however, it is recommended that applications follow some common text encoding rules. ASCII and UTF-8 [27] are two possibilities. (ASCII is a subset of UTF-8.)
在本文档中,密码被视为任意长度的八位字节字符串,其解释为文本字符串未指定。但是,为了实现互操作性,建议应用程序遵循一些常见的文本编码规则。ASCII和UTF-8[27]是两种可能性。(ASCII是UTF-8的子集。)
Although the selection of passwords is outside the scope of this document, guidelines have been published [17] that may well be taken into account.
虽然密码的选择不在本文件的范围内,但已经发布了一些准则[17],这些准则可能会得到考虑。
Inasmuch as salt and iteration count are central to the techniques defined in this document, some further discussion is warranted.
由于salt和迭代计数是本文中定义的技术的核心,因此有必要进行进一步的讨论。
A salt in password-based cryptography has traditionally served the purpose of producing a large set of keys corresponding to a given password, among which one is selected at random according to the salt. An individual key in the set is selected by applying a key derivation function KDF, as
基于密码的加密中的salt传统上用于产生与给定密码相对应的大量密钥集,其中一个密钥根据salt随机选择。通过应用密钥派生函数KDF选择集合中的单个密钥,如下所示:
DK = KDF (P, S)
DK=KDF(P,S)
where DK is the derived key, P is the password, and S is the salt. This has two benefits:
其中DK是派生密钥,P是密码,S是salt。这有两个好处:
1. It is difficult for an opponent to precompute all the keys corresponding to a dictionary of passwords, or even the most likely keys. If the salt is 64 bits long, for instance, there will be as many as 2^64 keys for each password. An opponent is thus limited to searching for passwords after a password-based operation has been performed and the salt is known.
1. 对手很难预先计算与密码字典对应的所有密钥,甚至是最可能的密钥。例如,如果salt长度为64位,则每个密码将有多达2^64个密钥。因此,对手仅限于在执行基于密码的操作且已知salt后搜索密码。
2. It is unlikely that the same key will be selected twice. Again, if the salt is 64 bits long, the chance of "collision" between keys does not become significant until about 2^32 keys have been produced, according to the Birthday Paradox. This addresses some of the concerns about interactions between multiple uses of the same key, which may apply for some encryption and authentication techniques.
2. 同一个键不太可能被选择两次。同样,根据生日悖论,如果salt长度为64位,则在生成大约2^32个键之前,键之间的“碰撞”几率不会变得显著。这解决了关于同一密钥的多个使用之间的交互的一些问题,这可能适用于某些加密和身份验证技术。
In password-based encryption, the party encrypting a message can gain assurance that these benefits are realized simply by selecting a large and sufficiently random salt when deriving an encryption key from a password. A party generating a message authentication code can gain such assurance in a similar fashion.
在基于密码的加密中,加密消息的一方可以获得这样的保证,即在从密码导出加密密钥时,只需选择一个足够大且随机的salt即可实现这些好处。生成消息认证码的一方可以以类似的方式获得这种保证。
The party decrypting a message or verifying a message authentication code, however, cannot be sure that a salt supplied by another party has actually been generated at random. It is possible, for instance, that the salt may have been copied from another password-based operation, in an attempt to exploit interactions between multiple
然而,解密消息或验证消息身份验证码的一方无法确保另一方提供的salt实际上是随机生成的。例如,salt可能是从另一个基于密码的操作复制的,目的是利用多个操作之间的交互
uses of the same key. For instance, suppose two legitimate parties exchange a encrypted message, where the encryption key is an 80-bit key derived from a shared password with some salt. An opponent could take the salt from that encryption and provide it to one of the parties as though it were for a 40-bit key. If the party reveals the result of decryption with the 40-bit key, the opponent may be able to solve for the 40-bit key. In the case that 40-bit key is the first half of the 80-bit key, the opponent can then readily solve for the remaining 40 bits of the 80-bit key.
使用相同的密钥。例如,假设两个合法方交换一个加密消息,其中加密密钥是一个80位的密钥,该密钥来自于一个带有一些盐的共享密码。对手可以从加密中取出盐并将其提供给其中一方,就好像它是一个40位密钥。如果一方透露了使用40位密钥解密的结果,则对方可能能够解决40位密钥的问题。如果40位密钥是80位密钥的前半部分,则对手可以很容易地解出80位密钥的剩余40位。
To defend against such attacks, either the interaction between multiple uses of the same key should be carefully analyzed, or the salt should contain data that explicitly distinguishes between different operations. For instance, the salt might have an additional, non-random octet that specifies whether the derived key is for encryption, for message authentication, or for some other operation.
为了抵御此类攻击,要么仔细分析同一密钥的多次使用之间的交互,要么salt中应包含明确区分不同操作的数据。例如,salt可能有一个附加的非随机八位组,用于指定派生密钥是用于加密、消息身份验证还是用于其他操作。
Based on this, the following is recommended for salt selection:
基于此,建议选择以下盐:
1. If there is no concern about interactions between multiple uses of the same key (or a prefix of that key) with the password-based encryption and authentication techniques supported for a given password, then the salt may be generated at random and need not be checked for a particular format by the party receiving the salt. It should be at least eight octets (64 bits) long.
1. 如果不关心同一密钥(或该密钥的前缀)的多次使用与给定密码支持的基于密码的加密和认证技术之间的交互,则salt可以随机生成,并且无需由接收salt的一方检查特定格式。它应该至少有八个八位字节(64位)长。
2. Otherwise, the salt should contain data that explicitly distinguishes between different operations and different key lengths, in addition to a random part that is at least eight octets long, and this data should be checked or regenerated by the party receiving the salt. For instance, the salt could have an additional non-random octet that specifies the purpose of the derived key. Alternatively, it could be the encoding of a structure that specifies detailed information about the derived key, such as the encryption or authentication technique and a sequence number among the different keys derived from the password. The particular format of the additional data is left to the application.
2. 否则,salt应包含明确区分不同操作和不同密钥长度的数据,以及至少八个八位字节长的随机部分,并且该数据应由接收salt的一方检查或重新生成。例如,salt可以有一个额外的非随机八位组,用于指定派生密钥的用途。或者,它可以是指定有关派生密钥的详细信息的结构的编码,例如加密或身份验证技术以及从密码派生的不同密钥之间的序列号。附加数据的特定格式由应用程序决定。
Note. If a random number generator or pseudorandom generator is not available, a deterministic alternative for generating the salt (or the random part of it) is to apply a password-based key derivation function to the password and the message M to be processed. For instance, the salt could be computed with a key derivation function as S = KDF (P, M). This approach is not recommended if the message M
笔记如果随机数生成器或伪随机生成器不可用,则生成salt(或其随机部分)的确定替代方案是对密码和要处理的消息M应用基于密码的密钥派生函数。例如,salt可以用一个键派生函数S=KDF(P,M)来计算。如果消息M
is known to belong to a small message space (e.g., "Yes" or "No"), however, since then there will only be a small number of possible salts.
已知属于一个小的消息空间(例如,“是”或“否”),但是,从那时起,只有少量可能的盐。
An iteration count has traditionally served the purpose of increasing the cost of producing keys from a password, thereby also increasing the difficulty of attack. For the methods in this document, a minimum of 1000 iterations is recommended. This will increase the cost of exhaustive search for passwords significantly, without a noticeable impact in the cost of deriving individual keys.
迭代计数传统上用于增加从密码生成密钥的成本,从而也增加了攻击的难度。对于本文档中的方法,建议至少迭代1000次。这将显著增加彻底搜索密码的成本,而不会对获取单个密钥的成本产生显著影响。
A key derivation function produces a derived key from a base key and other parameters. In a password-based key derivation function, the base key is a password and the other parameters are a salt value and an iteration count, as outlined in Section 3.
密钥派生函数从基密钥和其他参数生成派生密钥。在基于密码的密钥派生函数中,基本密钥是密码,其他参数是salt值和迭代计数,如第3节所述。
The primary application of the password-based key derivation functions defined here is in the encryption schemes in Section 6 and the message authentication scheme in Section 7. Other applications are certainly possible, hence the independent definition of these functions.
此处定义的基于密码的密钥派生函数的主要应用在第6节的加密方案和第7节的消息认证方案中。其他应用当然是可能的,因此这些函数的独立定义。
Two functions are specified in this section: PBKDF1 and PBKDF2. PBKDF2 is recommended for new applications; PBKDF1 is included only for compatibility with existing applications, and is not recommended for new applications.
本节中指定了两个函数:PBKDF1和PBKDF2。PBKDF2建议用于新应用;PBKDF1仅用于与现有应用程序兼容,不建议用于新应用程序。
A typical application of the key derivation functions defined here might include the following steps:
此处定义的键派生函数的典型应用可能包括以下步骤:
1. Select a salt S and an iteration count c, as outlined in Section 4.
1. 选择一个salt S和一个迭代计数c,如第4节所述。
2. Select a length in octets for the derived key, dkLen.
2. 为派生键dkLen选择以八位字节为单位的长度。
3. Apply the key derivation function to the password, the salt, the iteration count and the key length to produce a derived key.
3. 将密钥派生函数应用于密码、salt、迭代计数和密钥长度,以生成派生密钥。
4. Output the derived key.
4. 输出派生密钥。
Any number of keys may be derived from a password by varying the salt, as described in Section 3.
如第3节所述,可通过改变salt从密码中导出任意数量的密钥。
PBKDF1 applies a hash function, which shall be MD2 [6], MD5 [19] or SHA-1 [18], to derive keys. The length of the derived key is bounded by the length of the hash function output, which is 16 octets for MD2 and MD5 and 20 octets for SHA-1. PBKDF1 is compatible with the key derivation process in PKCS #5 v1.5.
PBKDF1应用一个哈希函数,该函数应为MD2[6]、MD5[19]或SHA-1[18],以派生密钥。派生密钥的长度受哈希函数输出长度的限制,MD2和MD5为16个八位字节,SHA-1为20个八位字节。PBKDF1与PKCS#5 v1.5中的密钥派生过程兼容。
PBKDF1 is recommended only for compatibility with existing applications since the keys it produces may not be large enough for some applications.
PBKDF1仅建议与现有应用程序兼容,因为它生成的密钥可能对于某些应用程序来说不够大。
PBKDF1 (P, S, c, dkLen)
PBKDF1(P、S、c、dkLen)
Options: Hash underlying hash function
选项:哈希底层哈希函数
Input: P password, an octet string S salt, an eight-octet string c iteration count, a positive integer dkLen intended length in octets of derived key, a positive integer, at most 16 for MD2 or MD5 and 20 for SHA-1
输入:P密码,一个八位字符串S salt,一个八位字符串c迭代计数,一个正整数dkLen预期长度(以导出密钥的八位字节为单位),一个正整数,MD2或MD5最多16,SHA-1最多20
Output: DK derived key, a dkLen-octet string
输出:DK派生键,一个dkLen八位字节字符串
Steps:
步骤:
1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output "derived key too long" and stop.
1. 如果MD2和MD5的dkLen>16,或SHA-1的dkLen>20,则输出“派生密钥太长”并停止。
2. Apply the underlying hash function Hash for c iterations to the concatenation of the password P and the salt S, then extract the first dkLen octets to produce a derived key DK:
2. 将基础哈希函数hash for c迭代应用于密码P和salt S的串联,然后提取第一个dkLen八位组以生成派生密钥DK:
T_1 = Hash (P || S) , T_2 = Hash (T_1) , ... T_c = Hash (T_{c-1}) , DK = Tc<0..dkLen-1>
T_1 = Hash (P || S) , T_2 = Hash (T_1) , ... T_c = Hash (T_{c-1}) , DK = Tc<0..dkLen-1>
3. Output the derived key DK.
3. 输出派生密钥DK。
PBKDF2 applies a pseudorandom function (see Appendix B.1 for an example) to derive keys. The length of the derived key is essentially unbounded. (However, the maximum effective search space for the
PBKDF2应用伪随机函数(示例见附录B.1)推导密钥。派生密钥的长度基本上是无界的。(但是
derived key may be limited by the structure of the underlying pseudorandom function. See Appendix B.1 for further discussion.) PBKDF2 is recommended for new applications.
派生密钥可能受到底层伪随机函数结构的限制。进一步讨论见附录B.1。)建议将PBKDF2用于新应用。
PBKDF2 (P, S, c, dkLen)
PBKDF2(P、S、c、dkLen)
Options: PRF underlying pseudorandom function (hLen denotes the length in octets of the pseudorandom function output)
选项:PRF基础伪随机函数(hLen表示伪随机函数输出的长度,以八位字节为单位)
Input: P password, an octet string S salt, an octet string c iteration count, a positive integer dkLen intended length in octets of the derived key, a positive integer, at most (2^32 - 1) * hLen
输入:P密码,一个八位字符串S salt,一个八位字符串c迭代计数,一个正整数dkLen指定长度,以导出密钥的八位字节为单位,一个正整数,最多(2^32-1)*hLen
Output: DK derived key, a dkLen-octet string
输出:DK派生键,一个dkLen八位字节字符串
Steps:
步骤:
1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop.
1. 如果dkLen>(2^32-1)*hLen,则输出“派生密钥太长”并停止。
2. Let l be the number of hLen-octet blocks in the derived key, rounding up, and let r be the number of octets in the last block:
2. 设l为导出密钥中的hLen八位组块数,向上取整,r为最后一个块中的八位组数:
l = CEIL (dkLen / hLen) , r = dkLen - (l - 1) * hLen .
l=CEIL(dkLen/hLen),r=dkLen-(l-1)*hLen。
Here, CEIL (x) is the "ceiling" function, i.e. the smallest integer greater than, or equal to, x.
这里,CEIL(x)是“上限”函数,即大于或等于x的最小整数。
3. For each block of the derived key apply the function F defined below to the password P, the salt S, the iteration count c, and the block index to compute the block:
3. 对于派生密钥的每个块,将下面定义的函数F应用于密码P、salt S、迭代计数c和块索引,以计算块:
T_1 = F (P, S, c, 1) , T_2 = F (P, S, c, 2) , ... T_l = F (P, S, c, l) ,
T_1=F(P,S,c,1),T_2=F(P,S,c,2)。。。T_l=F(P,S,c,l),
where the function F is defined as the exclusive-or sum of the first c iterates of the underlying pseudorandom function PRF applied to the password P and the concatenation of the salt S and the block index i:
其中,函数F被定义为应用于密码P的底层伪随机函数PRF的前c次迭代的异或和以及salt S和块索引i的串联:
F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
F(P,S,c,i)=U_1\xor U_2\xor\xor U_c
where
哪里
U_1 = PRF (P, S || INT (i)) , U_2 = PRF (P, U_1) , ... U_c = PRF (P, U_{c-1}) .
U|U 1=PRF(P,S|INT(i)),U|U 2=PRF(P,U|U 1)。。。U_c=PRF(P,U_{c-1})。
Here, INT (i) is a four-octet encoding of the integer i, most significant octet first.
这里,INT(i)是整数i的四个八位组编码,最重要的八位组在前。
4. Concatenate the blocks and extract the first dkLen octets to produce a derived key DK:
4. 连接块并提取第一个dkLen八位组,以生成派生密钥DK:
DK = T_1 || T_2 || ... || T_l<0..r-1>
DK = T_1 || T_2 || ... || T_l<0..r-1>
5. Output the derived key DK.
5. 输出派生密钥DK。
Note. The construction of the function F follows a "belt-and-suspenders" approach. The iterates U_i are computed recursively to remove a degree of parallelism from an opponent; they are exclusive-ored together to reduce concerns about the recursion degenerating into a small set of values.
笔记功能F的构造遵循“皮带和吊杆”方法。迭代U_i递归计算,以消除对手的并行度;它们是异或的,以减少递归退化为一小部分值的担忧。
An encryption scheme, in the symmetric setting, consists of an encryption operation and a decryption operation, where the encryption operation produces a ciphertext from a message under a key, and the decryption operation recovers the message from the ciphertext under the same key. In a password-based encryption scheme, the key is a password.
对称设置下的加密方案包括加密操作和解密操作,其中加密操作从密钥下的消息生成密文,解密操作从相同密钥下的密文恢复消息。在基于密码的加密方案中,密钥是密码。
A typical application of a password-based encryption scheme is a private-key protection method, where the message contains private-key information, as in PKCS #8. The encryption schemes defined here would be suitable encryption algorithms in that context.
基于密码的加密方案的典型应用是私钥保护方法,其中消息包含私钥信息,如PKCS#8。这里定义的加密方案将是该上下文中合适的加密算法。
Two schemes are specified in this section: PBES1 and PBES2. PBES2 is recommended for new applications; PBES1 is included only for compatibility with existing applications, and is not recommended for new applications.
本节规定了两种方案:PBES1和PBES2。PBES2建议用于新的应用;PBES1仅用于与现有应用程序兼容,不建议用于新应用程序。
PBES1 combines the PBKDF1 function (Section 5.1) with an underlying block cipher, which shall be either DES [15] or RC2(tm) [21] in CBC mode [16]. PBES1 is compatible with the encryption scheme in PKCS #5 v1.5.
PBES1将PBKDF1功能(第5.1节)与基础分组密码相结合,该分组密码应为CBC模式下的DES[15]或RC2(tm)[21]。PBES1与PKCS#5 v1.5中的加密方案兼容。
PBES1 is recommended only for compatibility with existing applications, since it supports only two underlying encryption schemes, each of which has a key size (56 or 64 bits) that may not be large enough for some applications.
PBES1仅建议与现有应用程序兼容,因为它只支持两个底层加密方案,每个方案的密钥大小(56或64位)可能不足以满足某些应用程序的需要。
The encryption operation for PBES1 consists of the following steps, which encrypt a message M under a password P to produce a ciphertext C:
PBES1的加密操作包括以下步骤,这些步骤在密码P下加密消息M以生成密文C:
1. Select an eight-octet salt S and an iteration count c, as outlined in Section 4.
1. 如第4节所述,选择一个8个八位组的salt S和一个迭代计数c。
2. Apply the PBKDF1 key derivation function (Section 5.1) to the password P, the salt S, and the iteration count c to produce at derived key DK of length 16 octets:
2. 将PBKDF1密钥派生函数(第5.1节)应用于密码P、salt S和迭代计数c,以生成长度为16个八位字节的派生密钥DK:
DK = PBKDF1 (P, S, c, 16) .
DK=PBKDF1(P,S,c,16)。
3. Separate the derived key DK into an encryption key K consisting of the first eight octets of DK and an initialization vector IV consisting of the next eight octets:
3. 将导出密钥DK分离为加密密钥K,该密钥由DK的前八个八位字节组成,初始化向量IV由下八个八位字节组成:
K = DK<0..7> , IV = DK<8..15> .
K=DK<0..7>,IV=DK<8..15>。
4. Concatenate M and a padding string PS to form an encoded message EM:
4. 连接M和填充字符串PS以形成编码消息EM:
EM = M || PS ,
EM=M | | PS,
where the padding string PS consists of 8-(||M|| mod 8) octets each with value 8-(||M|| mod 8). The padding string PS will satisfy one of the following statements:
其中填充字符串PS由8-(| M | mod 8)个八位字节组成,每个八位字节的值为8-(| M | mod 8)。填充字符串PS将满足以下语句之一:
PS = 01, if ||M|| mod 8 = 7 ; PS = 02 02, if ||M|| mod 8 = 6 ; ... PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.
PS = 01, if ||M|| mod 8 = 7 ; PS = 02 02, if ||M|| mod 8 = 6 ; ... PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.
The length in octets of the encoded message will be a multiple of eight and it will be possible to recover the message M unambiguously from the encoded message. (This padding rule is taken from RFC 1423 [3].)
编码消息的长度(以八位字节为单位)将是8的倍数,并且可以从编码消息中毫不含糊地恢复消息M。(此填充规则取自RFC 1423[3]。)
5. Encrypt the encoded message EM with the underlying block cipher (DES or RC2) in cipher block chaining mode under the encryption key K with initialization vector IV to produce the ciphertext C. For DES, the key K shall be considered as a 64-bit encoding of a 56-bit DES key with parity bits ignored (see [9]). For RC2, the "effective key bits" shall be 64 bits.
5. 在加密密钥K和初始化向量IV下,以密码块链接模式使用基础分组密码(DES或RC2)对编码消息EM进行加密,以生成密文C。对于DES,密钥K应被视为56位DES密钥的64位编码,奇偶校验位被忽略(见[9])。对于RC2,“有效密钥位”应为64位。
6. Output the ciphertext C.
6. 输出密文C。
The salt S and the iteration count c may be conveyed to the party performing decryption in an AlgorithmIdentifier value (see Appendix A.3).
salt S和迭代计数c可以以算法标识符值传送给执行解密的一方(见附录A.3)。
The decryption operation for PBES1 consists of the following steps, which decrypt a ciphertext C under a password P to recover a message M:
PBES1的解密操作包括以下步骤,这些步骤解密密码P下的密文C以恢复消息M:
1. Obtain the eight-octet salt S and the iteration count c.
1. 获得八个八重态盐S和迭代计数c。
2. Apply the PBKDF1 key derivation function (Section 5.1) to the password P, the salt S, and the iteration count c to produce a derived key DK of length 16 octets:
2. 将PBKDF1密钥派生函数(第5.1节)应用于密码P、salt S和迭代计数c,以生成长度为16个八位字节的派生密钥DK:
DK = PBKDF1 (P, S, c, 16)
DK=PBKDF1(P,S,c,16)
3. Separate the derived key DK into an encryption key K consisting of the first eight octets of DK and an initialization vector IV consisting of the next eight octets:
3. 将导出密钥DK分离为加密密钥K,该密钥由DK的前八个八位字节组成,初始化向量IV由下八个八位字节组成:
K = DK<0..7> , IV = DK<8..15> .
K=DK<0..7>,IV=DK<8..15>。
4. Decrypt the ciphertext C with the underlying block cipher (DES or RC2) in cipher block chaining mode under the encryption key K with initialization vector IV to recover an encoded message EM. If the length in octets of the ciphertext C is not a multiple of eight, output "decryption error" and stop.
4. 在加密密钥K和初始化向量IV下,以密码块链接模式使用基础分组密码(DES或RC2)解密密文C,以恢复编码消息EM。如果密文C的八位字节长度不是8的倍数,则输出“解密错误”并停止。
5. Separate the encoded message EM into a message M and a padding string PS:
5. 将编码后的消息EM分离为消息M和填充字符串PS:
EM = M || PS ,
EM=M | | PS,
where the padding string PS consists of some number psLen octets each with value psLen, where psLen is between 1 and 8. If it is not possible to separate the encoded message EM in this manner, output "decryption error" and stop.
其中,填充字符串PS由若干个psLen八位组组成,每个八位组的值为psLen,其中psLen介于1和8之间。如果无法以这种方式分离编码消息EM,则输出“解密错误”并停止。
6. Output the recovered message M.
6. 输出恢复的消息M。
PBES2 combines a password-based key derivation function, which shall be PBKDF2 (Section 5.2) for this version of PKCS #5, with an underlying encryption scheme (see Appendix B.2 for examples). The key length and any other parameters for the underlying encryption scheme depend on the scheme.
PBES2结合了一个基于密码的密钥派生函数,对于本版本的PKCS#5,该函数应为PBKDF2(第5.2节),并带有一个底层加密方案(示例见附录B.2)。基础加密方案的密钥长度和任何其他参数取决于该方案。
PBES2 is recommended for new applications.
建议将PBES2用于新应用。
The encryption operation for PBES2 consists of the following steps, which encrypt a message M under a password P to produce a ciphertext C, applying a selected key derivation function KDF and a selected underlying encryption scheme:
PBES2的加密操作包括以下步骤,应用选定的密钥派生函数KDF和选定的基础加密方案,在密码P下加密消息M以生成密文C:
1. Select a salt S and an iteration count c, as outlined in Section 4.
1. 选择一个salt S和一个迭代计数c,如第4节所述。
2. Select the length in octets, dkLen, for the derived key for the underlying encryption scheme.
2. 为基础加密方案的派生密钥选择长度(以八位字节为单位,dkLen)。
3. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
3. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen) .
DK=KDF(P,S,c,dkLen)。
4. Encrypt the message M with the underlying encryption scheme under the derived key DK to produce a ciphertext C. (This step may involve selection of parameters such as an initialization vector and padding, depending on the underlying scheme.)
4. 使用派生密钥DK下的基础加密方案对消息M进行加密,以生成密文C(该步骤可能涉及选择参数,例如初始化向量和填充,具体取决于基础方案)
5. Output the ciphertext C.
5. 输出密文C。
The salt S, the iteration count c, the key length dkLen, and identifiers for the key derivation function and the underlying encryption scheme may be conveyed to the party performing decryption in an AlgorithmIdentifier value (see Appendix A.4).
salt S、迭代计数c、密钥长度dkLen以及密钥派生函数和基础加密方案的标识符可以以算法标识符值传送给执行解密的一方(参见附录A.4)。
The decryption operation for PBES2 consists of the following steps, which decrypt a ciphertext C under a password P to recover a message M:
PBES2的解密操作包括以下步骤,这些步骤解密密码P下的密文C以恢复消息M:
1. Obtain the salt S for the operation.
1. 获取操作所需的盐。
2. Obtain the iteration count c for the key derivation function.
2. 获取键派生函数的迭代计数c。
3. Obtain the key length in octets, dkLen, for the derived key for the underlying encryption scheme.
3. 获取基础加密方案的派生密钥的密钥长度(以八位字节为单位,dkLen)。
4. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
4. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen) .
DK=KDF(P,S,c,dkLen)。
5. Decrypt the ciphertext C with the underlying encryption scheme under the derived key DK to recover a message M. If the decryption function outputs "decryption error," then output "decryption error" and stop.
5. 使用派生密钥DK下的基础加密方案解密密文C以恢复消息M。如果解密函数输出“解密错误”,则输出“解密错误”并停止。
6. Output the recovered message M.
6. 输出恢复的消息M。
A message authentication scheme consists of a MAC (message authentication code) generation operation and a MAC verification operation, where the MAC generation operation produces a message authentication code from a message under a key, and the MAC verification operation verifies the message authentication code under the same key. In a password-based message authentication scheme, the key is a password.
消息认证方案包括MAC(消息认证码)生成操作和MAC验证操作,其中MAC生成操作从密钥下的消息生成消息认证码,MAC验证操作验证相同密钥下的消息认证码。在基于密码的消息身份验证方案中,密钥是密码。
One scheme is specified in this section: PBMAC1.
本节规定了一个方案:PBMAC1。
PBMAC1 combines a password-based key derivation function, which shall be PBKDF2 (Section 5.2) for this version of PKCS #5, with an underlying message authentication scheme (see Appendix B.3 for an example). The key length and any other parameters for the underlying message authentication scheme depend on the scheme.
PBMAC1结合了一个基于密码的密钥派生函数,该函数应为PBKDF2(第5.2节),适用于此版本的PKCS#5,并带有一个底层消息身份验证方案(示例见附录B.3)。基础消息身份验证方案的密钥长度和任何其他参数取决于该方案。
The MAC generation operation for PBMAC1 consists of the following steps, which process a message M under a password P to generate a message authentication code T, applying a selected key derivation function KDF and a selected underlying message authentication scheme:
PBMAC1的MAC生成操作包括以下步骤,这些步骤在密码P下处理消息M以生成消息认证码T,应用选择的密钥派生函数KDF和选择的底层消息认证方案:
1. Select a salt S and an iteration count c, as outlined in Section 4.
1. 选择一个salt S和一个迭代计数c,如第4节所述。
2. Select a key length in octets, dkLen, for the derived key for the underlying message authentication function.
2. 为基础消息身份验证函数的派生密钥选择一个密钥长度(以八位字节为单位,dkLen)。
3. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
3. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen) .
DK=KDF(P,S,c,dkLen)。
4. Process the message M with the underlying message authentication scheme under the derived key DK to generate a message authentication code T.
4. 使用派生密钥DK下的底层消息认证方案处理消息M,以生成消息认证码T。
5. Output the message authentication code T.
5. 输出消息身份验证代码T。
The salt S, the iteration count c, the key length dkLen, and identifiers for the key derivation function and underlying message authentication scheme may be conveyed to the party performing verification in an AlgorithmIdentifier value (see Appendix A.5).
salt S、迭代计数c、密钥长度dkLen以及密钥派生函数和底层消息认证方案的标识符可以用算法标识符值传递给执行验证的一方(见附录A.5)。
The MAC verification operation for PBMAC1 consists of the following steps, which process a message M under a password P to verify a message authentication code T:
PBMAC1的MAC验证操作包括以下步骤,这些步骤在密码P下处理消息M以验证消息认证码T:
1. Obtain the salt S and the iteration count c.
1. 获得盐S和迭代计数c。
2. Obtain the key length in octets, dkLen, for the derived key for the underlying message authentication scheme.
2. 获取基础消息身份验证方案的派生密钥的密钥长度(以八位字节为单位,dkLen)。
3. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
3. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen) .
DK=KDF(P,S,c,dkLen)。
4. Process the message M with the underlying message authentication scheme under the derived key DK to verify the message authentication code T.
4. 使用派生密钥DK下的底层消息认证方案处理消息M,以验证消息认证码T。
5. If the message authentication code verifies, output "correct"; else output "incorrect."
5. 如果消息验证码验证,则输出“正确”;否则输出“不正确”
Password-based cryptography is generally limited in the security that it can provide, particularly for methods such as those defined in this document where off-line password search is possible. While the use of salt and iteration count can increase the complexity of attack (see Section 4 for recommendations), it is essential that passwords are selected well, and relevant guidelines (e.g., [17]) should be taken into account. It is also important that passwords be protected well if stored.
基于密码的加密技术通常在其可提供的安全性方面受到限制,特别是对于本文档中定义的方法,其中可以进行离线密码搜索。虽然使用salt和迭代计数会增加攻击的复杂性(建议参见第4节),但必须选择好密码,并应考虑相关准则(例如[17])。同样重要的是,如果存储了密码,则应妥善保护密码。
In general, different keys should be derived from a password for different uses to minimize the possibility of unintended interactions. For password-based encryption with a single algorithm, a random salt is sufficient to ensure that different keys will be produced. In certain other situations, as outlined in Section 4, a structured salt is necessary. The recommendations in Section 4 should thus be taken into account when selecting the salt value.
一般来说,不同的密钥应该从不同用途的密码中派生,以最大限度地减少意外交互的可能性。对于使用单一算法的基于密码的加密,随机salt足以确保生成不同的密钥。在某些其他情况下,如第4节所述,有必要使用结构化盐。因此,在选择盐值时,应考虑第4节中的建议。
Burt Kaliski RSA Laboratories 20 Crosby Drive Bedford, MA 01730 USA
Burt Kaliski RSA Laboratories美国马萨诸塞州贝德福德克罗斯比大道20号01730
EMail: bkaliski@rsasecurity.com
EMail: bkaliski@rsasecurity.com
APPENDICES
附录
A. ASN.1 Syntax
A.ASN.1语法
This section defines ASN.1 syntax for the key derivation functions, the encryption schemes, the message authentication scheme, and supporting techniques. The intended application of these definitions includes PKCS #8 and other syntax for key management, encrypted data, and integrity-protected data. (Various aspects of ASN.1 are specified in several ISO/IEC standards [9][10][11][12][13][14].)
本节定义了密钥派生函数、加密方案、消息身份验证方案和支持技术的ASN.1语法。这些定义的预期应用包括PKCS#8和用于密钥管理、加密数据和完整性保护数据的其他语法。(一些ISO/IEC标准[9][10][11][12][13][14]中规定了ASN.1的各个方面。)
The object identifier pkcs-5 identifies the arc of the OID tree from which the PKCS #5-specific OIDs in this section are derived:
对象标识符pkcs-5标识OID树的弧,本节中pkcs#5特定OID是从该弧派生的:
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1} pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1} pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
No object identifier is given for PBKDF1, as the object identifiers for PBES1 are sufficient for existing applications and PBKDF2 is recommended for new applications.
没有为PBKDF1提供对象标识符,因为PBES1的对象标识符对于现有应用程序足够,而PBKDF2推荐用于新应用程序。
The object identifier id-PBKDF2 identifies the PBKDF2 key derivation function (Section 5.2).
对象标识符id-PBKDF2标识PBKDF2密钥派生函数(第5.2节)。
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type PBKDF2-params:
算法标识符中与此OID相关的参数字段应具有PBKDF2参数类型:
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
The fields of type PKDF2-params have the following meanings:
PKDF2 params类型的字段具有以下含义:
- salt specifies the salt value, or the source of the salt value. It shall either be an octet string or an algorithm ID with an OID in the set PBKDF2-SaltSources, which is reserved for future versions of PKCS #5.
- salt指定salt值或salt值的来源。它应该是一个八位字节字符串,或者是一个算法ID,在集合PBKDF2 SaltSources中有一个OID,这是为PKCS#5的未来版本保留的。
The salt-source approach is intended to indicate how the salt value is to be generated as a function of parameters in the algorithm ID, application data, or both. For instance, it may indicate that the salt value is produced from the encoding of a structure that specifies detailed information about the derived key as suggested in Section 4.1. Some of the information may be carried elsewhere, e.g., in the encryption algorithm ID. However, such facilities are deferred to a future version of PKCS #5.
salt源方法旨在指示如何根据算法ID、应用程序数据或两者中的参数生成salt值。例如,它可能表示salt值是通过编码一个结构产生的,该结构指定了第4.1节中建议的有关派生密钥的详细信息。一些信息可能会被带到其他地方,例如加密算法ID中。但是,这些设施会推迟到PKCS#5的未来版本。
In this version, an application may achieve the benefits mentioned in Section 4.1 by choosing a particular interpretation of the salt value in the specified alternative.
在本版本中,应用程序可通过在指定替代方案中选择盐值的特定解释来实现第4.1节中提到的好处。
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
- iterationCount specifies the iteration count. The maximum iteration count allowed depends on the implementation. It is expected that implementation profiles may further constrain the bounds.
- iterationCount指定迭代计数。允许的最大迭代次数取决于实现。预计实现概要文件可能会进一步限制边界。
- keyLength, an optional field, is the length in octets of the derived key. The maximum key length allowed depends on the implementation; it is expected that implementation profiles may further constrain the bounds. The field is provided for convenience only; the key length is not cryptographically protected. If there is concern about interaction between operations with different key lengths for a given salt (see Section 4.1), the salt should distinguish among the different key lengths.
- keyLength是一个可选字段,是派生密钥的长度(以八位字节为单位)。允许的最大密钥长度取决于实现;预计实现概要文件可能会进一步限制边界。该字段仅为方便而提供;密钥长度不受加密保护。如果对给定salt的不同键长操作之间的相互作用存在顾虑(见第4.1节),salt应区分不同键长。
- prf identifies the underlying pseudorandom function. It shall be an algorithm ID with an OID in the set PBKDF2-PRFs, which for this version of PKCS #5 shall consist of id-hmacWithSHA1 (see Appendix B.1.1) and any other OIDs defined by the application.
- prf识别底层伪随机函数。它应该是一个算法ID,在PBKDF2 PRFs集合中有一个OID,对于本版本的PKCS#5,它应该由ID-hmacWithSHA1(见附录B.1.1)和应用程序定义的任何其他OID组成。
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, ... }
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, ... }
The default pseudorandom function is HMAC-SHA-1:
默认的伪随机函数为HMAC-SHA-1:
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
Different object identifiers identify the PBES1 encryption scheme (Section 6.1) according to the underlying hash function in the key derivation function and the underlying block cipher, as summarized in the following table:
不同的对象标识符根据密钥派生函数中的底层哈希函数和底层分组密码识别PBES1加密方案(第6.1节),如下表所示:
Hash Function Block Cipher OID MD2 DES pkcs-5.1 MD2 RC2 pkcs-5.4 MD5 DES pkcs-5.3 MD5 RC2 pkcs-5.6 SHA-1 DES pkcs-5.10 SHA-1 RC2 pkcs-5.11
散列函数分组密码OID MD2 DES pkcs-5.1 MD2 RC2 pkcs-5.4 MD5 DES pkcs-5.3 MD5 RC2 pkcs-5.6 SHA-1 DES pkcs-5.10 SHA-1 RC2 pkcs-5.11
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
For each OID, the parameters field associated with the OID in an AlgorithmIdentifier shall have type PBEParameter:
对于每个OID,算法标识符中与OID相关的参数字段应具有PBEParameter类型:
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
The fields of type PBEParameter have the following meanings:
PBEParameter类型的字段具有以下含义:
- salt specifies the salt value, an eight-octet string.
- salt指定salt值,一个八位字节的字符串。
- iterationCount specifies the iteration count.
- iterationCount指定迭代计数。
The object identifier id-PBES2 identifies the PBES2 encryption scheme (Section 6.2).
对象标识符id-PBES2标识PBES2加密方案(第6.2节)。
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type PBES2-params:
算法标识符中与此OID相关的参数字段应具有PBES2参数类型:
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
The fields of type PBES2-params have the following meanings:
PBES2 params类型的字段具有以下含义:
- keyDerivationFunc identifies the underlying key derivation function. It shall be an algorithm ID with an OID in the set PBES2-KDFs, which for this version of PKCS #5 shall consist of id-PBKDF2 (Appendix A.2).
- keyDerivationFunc标识基础密钥派生函数。它应该是一个算法ID,在PBES2 KDF集合中有一个OID,对于这个版本的PKCS#5,它应该由ID-PBKDF2组成(附录A.2)。
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
- encryptionScheme identifies the underlying encryption scheme. It shall be an algorithm ID with an OID in the set PBES2-Encs, whose definition is left to the application. Example underlying encryption schemes are given in Appendix B.2.
- encryptionScheme标识基础加密方案。它应该是一个算法ID,集合PBES2 Encs中有一个OID,其定义留给应用程序。附录B.2中给出了基础加密方案的示例。
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
The object identifier id-PBMAC1 identifies the PBMAC1 message authentication scheme (Section 7.1).
对象标识符id-PBMAC1标识PBMAC1消息认证方案(第7.1节)。
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type PBMAC1-params:
算法标识符中与此OID相关的参数字段应具有PBMAC1型参数:
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}}, messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}}, messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
The keyDerivationFunc field has the same meaning as the corresponding field of PBES2-params (Appendix A.4) except that the set of OIDs is PBMAC1-KDFs.
keyDerivationFunc字段与PBES2参数的相应字段(附录A.4)具有相同的含义,但OID集为PBMAC1 KDFs。
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
The messageAuthScheme field identifies the underlying message authentication scheme. It shall be an algorithm ID with an OID in the set PBMAC1-MACs, whose definition is left to the application. Example underlying encryption schemes are given in Appendix B.3.
messageAuthScheme字段标识基础消息身份验证方案。它应该是一个算法ID,在集合PBMAC1 MAC中有一个OID,其定义留给应用程序。附录B.3中给出了基础加密方案的示例。
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
B. Supporting Techniques
B.支持技术
This section gives several examples of underlying functions and schemes supporting the password-based schemes in Sections 5, 6 and 7.
本节给出了支持第5、6和7节中基于密码方案的基础功能和方案的几个示例。
While these supporting techniques are appropriate for applications to implement, none of them is required to be implemented. It is expected, however, that profiles for PKCS #5 will be developed that specify particular supporting techniques.
虽然这些支持技术适合于应用程序的实现,但它们都不需要实现。然而,预计PKCS#5的配置文件将被开发,以指定特定的支持技术。
This section also gives object identifiers for the supporting techniques. The object identifiers digestAlgorithm and encryptionAlgorithm identify the arcs from which certain algorithm OIDs referenced in this section are derived:
本节还提供了支持技术的对象标识符。对象标识符digestAlgorithm和encryptionAlgorithm识别本节中引用的某些算法OID的派生弧:
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
An example pseudorandom function for PBKDF2 (Section 5.2) is HMAC-SHA-1.
PBKDF2(第5.2节)的伪随机函数示例为HMAC-SHA-1。
HMAC-SHA-1 is the pseudorandom function corresponding to the HMAC message authentication code [7] based on the SHA-1 hash function [18]. The pseudorandom function is the same function by which the message authentication code is computed, with a full-length output. (The first argument to the pseudorandom function PRF serves as HMAC's "key," and the second serves as HMAC's "text." In the case of PBKDF2, the "key" is thus the password and the "text" is the salt.) HMAC-SHA-1 has a variable key length and a 20-octet (160-bit) output value.
HMAC-SHA-1是与基于SHA-1散列函数[18]的HMAC消息认证码[7]相对应的伪随机函数。伪随机函数与计算消息身份验证码的函数相同,具有全长输出。(伪随机函数PRF的第一个参数用作HMAC的“密钥”,第二个参数用作HMAC的“文本”。在PBKDF2的情况下,“密钥”因此是密码,“文本”是盐。)HMAC-SHA-1具有可变密钥长度和20个八位组(160位)的输出值。
Although the length of the key to HMAC-SHA-1 is essentially unbounded, the effective search space for pseudorandom function outputs may be limited by the structure of the function. In particular, when the key is longer than 512 bits, HMAC-SHA-1 will first hash it to 160 bits. Thus, even if a long derived key consisting of several pseudorandom function outputs is produced from a key, the effective search space for the derived key will be at most 160 bits. Although the specific limitation for other key sizes depends on details of the HMAC construction, one should assume, to be conservative, that the effective search space is limited to 160 bits for other key sizes as well.
尽管HMAC-SHA-1密钥的长度基本上是无界的,但伪随机函数输出的有效搜索空间可能受到函数结构的限制。特别是,当密钥长度超过512位时,HMAC-SHA-1将首先将其散列到160位。因此,即使从密钥生成由多个伪随机函数输出组成的长派生密钥,该派生密钥的有效搜索空间将最多为160位。尽管其他密钥大小的具体限制取决于HMAC构造的细节,但保守地说,对于其他密钥大小,有效搜索空间也应限制为160位。
(The 160-bit limitation should not generally pose a practical limitation in the case of password-based cryptography, since the search space for a password is unlikely to be greater than 160 bits.)
(对于基于密码的加密,160位限制通常不应构成实际限制,因为密码的搜索空间不太可能大于160位。)
The object identifier id-hmacWithSHA1 identifies the HMAC-SHA-1 pseudorandom function:
对象标识符id-hmacWithSHA1标识HMAC-SHA-1伪随机函数:
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type NULL. This object identifier is employed in the object set PBKDF2-PRFs (Appendix A.2).
算法标识符中与此OID关联的参数字段的类型应为NULL。该对象标识符用于对象集PBKDF2 PRFs(附录A.2)。
Note. Although HMAC-SHA-1 was designed as a message authentication code, its proof of security is readily modified to accommodate requirements for a pseudorandom function, under stronger assumptions.
笔记尽管HMAC-SHA-1被设计为消息身份验证码,但在更严格的假设下,其安全性证明很容易修改,以适应伪随机函数的要求。
A hash function may also meet the requirements of a pseudorandom function under certain assumptions. For instance, the direct application of a hash function to to the concatenation of the "key" and the "text" may be appropriate, provided that "text" has appropriate structure to prevent certain attacks. HMAC-SHA-1 is preferable, however, because it treats "key" and "text" as separate arguments and does not require "text" to have any structure.
在某些假设下,哈希函数也可以满足伪随机函数的要求。例如,如果“文本”具有防止某些攻击的适当结构,则直接将散列函数应用于“键”和“文本”的串联可能是适当的。然而,HMAC-SHA-1更可取,因为它将“键”和“文本”视为单独的参数,并且不要求“文本”具有任何结构。
Example pseudorandom functions for PBES2 (Section 6.2) are DES-CBC-Pad, DES-EDE2-CBC-Pad, RC2-CBC-Pad, and RC5-CBC-Pad.
PBES2(第6.2节)的伪随机函数示例为DES CBC Pad、DES-EDE2-CBC-Pad、RC2 CBC Pad和RC5 CBC Pad。
The object identifiers given in this section are intended to be employed in the object set PBES2-Encs (Appendix A.4).
本节中给出的对象标识符拟用于对象集PBES2 Encs(附录A.4)。
DES-CBC-Pad is single-key DES [15] in CBC mode [16] with the RFC 1423 padding operation (see Section 6.1.1). DES-CBC-Pad has an eight-octet encryption key and an eight-octet initialization vector. The key is considered as a 64-bit encoding of a 56-bit DES key with parity bits ignored.
DES CBC Pad是CBC模式[16]下的单键DES[15],具有RFC 1423填充操作(见第6.1.1节)。DES CBC Pad具有八个八位字节的加密密钥和八个八位字节的初始化向量。该密钥被视为56位DES密钥的64位编码,奇偶校验位被忽略。
The object identifier desCBC (defined in the NIST/OSI Implementors' Workshop agreements) identifies the DES-CBC-Pad encryption scheme:
对象标识符desCBC(在NIST/OSI实施者研讨会协议中定义)标识DES CBC Pad加密方案:
desCBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7}
desCBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)), specifying the initialization vector for CBC mode.
算法标识符中与此OID相关联的参数字段应具有类型八位字符串(大小(8)),用于指定CBC模式的初始化向量。
DES-EDE3-CBC-Pad is three-key triple-DES in CBC mode [1] with the RFC 1423 padding operation. DES-EDE3-CBC-Pad has a 24-octet encryption key and an eight-octet initialization vector. The key is considered as the concatenation of three eight-octet keys, each of which is a 64-bit encoding of a 56-bit DES key with parity bits ignored.
DES-EDE3-CBC-Pad是CBC模式[1]下的三键三重DES,具有RFC 1423填充操作。DES-EDE3-CBC-Pad具有24个八位字节的加密密钥和8个八位字节的初始化向量。该密钥被视为三个八位八位组密钥的串联,每个密钥是56位DES密钥的64位编码,奇偶校验位被忽略。
The object identifier des-EDE3-CBC identifies the DES-EDE3-CBC-Pad encryption scheme:
对象标识符des-EDE3-CBC标识des-EDE3-CBC-Pad加密方案:
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)), specifying the initialization vector for CBC mode.
算法标识符中与此OID相关联的参数字段应具有类型八位字符串(大小(8)),用于指定CBC模式的初始化向量。
Note. An OID for DES-EDE3-CBC without padding is given in ANSI X9.52 [1]; the one given here is preferred since it specifies padding.
笔记ANSI X9.52[1]中给出了无填充的DES-EDE3-CBC的OID;这里给出的一个是首选的,因为它指定了填充。
RC2-CBC-Pad is the RC2(tm) encryption algorithm [21] in CBC mode with the RFC 1423 padding operation. RC2-CBC-Pad has a variable key length, from one to 128 octets, a separate "effective key bits" parameter from one to 1024 bits that limits the effective search space independent of the key length, and an eight-octet initialization vector.
RC2 CBC Pad是具有RFC 1423填充操作的CBC模式下的RC2(tm)加密算法[21]。RC2 CBC Pad具有一个从1到128个八位字节的可变密钥长度、一个从1到1024位的单独“有效密钥位”参数(该参数限制了与密钥长度无关的有效搜索空间)以及一个8个八位字节的初始化向量。
The object identifier rc2CBC identifies the RC2-CBC-Pad encryption scheme:
对象标识符rc2CBC标识RC2 CBC Pad加密方案:
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
The parameters field associated with OID in an AlgorithmIdentifier shall have type RC2-CBC-Parameter:
算法标识符中与OID相关的参数字段应具有类型RC2 CBC参数:
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
The fields of type RC2-CBCParameter have the following meanings:
RC2 CBC参数类型的字段具有以下含义:
- rc2ParameterVersion is a proprietary RSA Security Inc. encoding of the "effective key bits" for RC2. The following encodings are defined:
- rc2ParameterVersion是RSA Security Inc.专有的RC2“有效密钥位”编码。定义了以下编码:
Effective Key Bits Encoding 40 160 64 120 128 58 b >= 256 b
有效密钥位编码40 160 64 120 128 58 b>=256 b
If the rc2ParameterVersion field is omitted, the "effective key bits" defaults to 32. (This is for backward compatibility with certain very old implementations.)
如果省略rc2ParameterVersion字段,“有效密钥位”默认为32。(这是为了向后兼容某些非常旧的实现。)
- iv is the eight-octet initialization vector.
- iv是八个八位组的初始化向量。
RC5-CBC-Pad is the RC5(tm) encryption algorithm [20] in CBC mode with a generalization of the RFC 1423 padding operation. This scheme is fully specified in [2]. RC5-CBC-Pad has a variable key length, from 0 to 256 octets, and supports both a 64-bit block size and a 128-bit block size. For the former, it has an eight-octet initialization vector, and for the latter, a 16-octet initialization vector. RC5-CBC-Pad also has a variable number of "rounds" in the encryption operation, from 8 to 127.
RC5 CBC Pad是CBC模式下的RC5(tm)加密算法[20],是RFC 1423填充操作的推广。该方案在[2]中有详细说明。RC5 CBC Pad具有可变密钥长度,从0到256个八位字节,并支持64位块大小和128位块大小。对于前者,它有一个8个八位字节的初始化向量,对于后者,它有一个16个八位字节的初始化向量。RC5 CBC Pad在加密操作中也有可变的“轮数”,从8到127。
Note: The generalization of the padding operation is as follows. For RC5 with a 64-bit block size, the padding string is as defined in RFC 1423. For RC5 with a 128-bit block size, the padding string consists of 16-(||M|| mod 16) octets each with value 16-(||M|| mod 16).
注意:填充操作的一般化如下所示。对于具有64位块大小的RC5,填充字符串如RFC 1423中所定义。对于具有128位块大小的RC5,填充字符串由16-(| M | mod 16)个八位字节组成,每个八位字节的值为16-(| M | mod 16)。
The object identifier rc5-CBC-PAD [2] identifies RC5-CBC-Pad encryption scheme:
对象标识符rc5 CBC PAD[2]标识rc5 CBC PAD加密方案:
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type RC5-CBC-Parameters:
算法标识符中与此OID相关的参数字段应具有RC5型CBC参数:
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
The fields of type RC5-CBC-Parameters have the following meanings:
RC5 CBC参数类型的字段具有以下含义:
- version is the version of the algorithm, which shall be v1-0.
- version为算法版本,应为v1-0。
- rounds is the number of rounds in the encryption operation, which shall be between 8 and 127.
- rounds是加密操作中的轮数,应介于8和127之间。
- blockSizeInBits is the block size in bits, which shall be 64 or 128.
- blockSizeInBits是以位为单位的块大小,应为64或128。
- iv is the initialization vector, an eight-octet string for 64-bit RC5 and a 16-octet string for 128-bit RC5. The default is a string of the appropriate length consisting of zero octets.
- iv是初始化向量,64位RC5为8个八位字符串,128位RC5为16个八位字符串。默认值是由零个八位字节组成的适当长度的字符串。
An example message authentication scheme for PBMAC1 (Section 7.1) is HMAC-SHA-1.
PBMAC1(第7.1节)的消息认证方案示例为HMAC-SHA-1。
HMAC-SHA-1 is the HMAC message authentication scheme [7] based on the SHA-1 hash function [18]. HMAC-SHA-1 has a variable key length and a 20-octet (160-bit) message authentication code.
HMAC-SHA-1是基于SHA-1哈希函数[18]的HMAC消息身份验证方案[7]。HMAC-SHA-1具有可变密钥长度和20个八位字节(160位)的消息身份验证码。
The object identifier id-hmacWithSHA1 (see Appendix B.1.1) identifies the HMAC-SHA-1 message authentication scheme. (The object identifier is the same for both the pseudorandom function and the message authentication scheme; the distinction is to be understood by context.) This object identifier is intended to be employed in the object set PBMAC1-Macs (Appendix A.5).
对象标识符id-hmacWithSHA1(见附录B.1.1)标识HMAC-SHA-1消息认证方案。(伪随机函数和消息认证方案的对象标识符相同;区别由上下文理解。)该对象标识符用于对象集PBMAC1 MAC(附录A.5)。
C. ASN.1 Module
C.ASN.1模块
For reference purposes, the ASN.1 syntax in the preceding sections is presented as an ASN.1 module here.
为了便于参考,前面几节中的ASN.1语法在这里作为ASN.1模块提供。
-- PKCS #5 v2.0 ASN.1 Module -- Revised March 25, 1999
-- PKCS #5 v2.0 ASN.1 Module -- Revised March 25, 1999
-- This module has been checked for conformance with the -- ASN.1 standard by the OSS ASN.1 Tools
-- This module has been checked for conformance with the -- ASN.1 standard by the OSS ASN.1 Tools
PKCS5v2-0 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-5(5) modules(16) pkcs5v2-0(1)}
PKCS5v2-0 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-5(5) modules(16) pkcs5v2-0(1)}
DEFINITIONS ::= BEGIN
DEFINITIONS ::= BEGIN
-- Basic object identifiers
--基本对象标识符
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1}
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1}
pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
-- Basic types and classes
--基本类型和类别
AlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::= SEQUENCE { algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}), parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet} {@algorithm}) OPTIONAL }
AlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::= SEQUENCE { algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}), parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet} {@algorithm}) OPTIONAL }
ALGORITHM-IDENTIFIER ::= TYPE-IDENTIFIER
ALGORITHM-IDENTIFIER ::= TYPE-IDENTIFIER
-- PBKDF2
--PBKDF2
PBKDF2Algorithms ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ...}
PBKDF2Algorithms ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ...}
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, ... }
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, ... }
-- PBES1
--PBES1
PBES1Algorithms ALGORITHM-IDENTIFIER ::= {
PBES1Algorithms ALGORITHM-IDENTIFIER ::= {
{PBEParameter IDENTIFIED BY pbeWithMD2AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD2AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndRC2-CBC}, ... }
{PBEParameter IDENTIFIED BY pbeWithMD2AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD2AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndRC2-CBC}, ... }
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
-- PBES2
--PBES2
PBES2Algorithms ALGORITHM-IDENTIFIER ::= { {PBES2-params IDENTIFIED BY id-PBES2}, ...}
PBES2Algorithms ALGORITHM-IDENTIFIER ::= { {PBES2-params IDENTIFIED BY id-PBES2}, ...}
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
-- PBMAC1
--PBMAC1
PBMAC1Algorithms ALGORITHM-IDENTIFIER ::= { {PBMAC1-params IDENTIFIED BY id-PBMAC1}, ...}
PBMAC1Algorithms ALGORITHM-IDENTIFIER ::= { {PBMAC1-params IDENTIFIED BY id-PBMAC1}, ...}
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}}, messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}}
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}}, messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}}
}
}
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
-- Supporting techniques
--支撑技术
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
SupportingAlgorithms ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1} | {OCTET STRING (SIZE(8)) IDENTIFIED BY desCBC} | {OCTET STRING (SIZE(8)) IDENTIFIED BY des-EDE3-CBC} | {RC2-CBC-Parameter IDENTIFIED BY rc2CBC} | {RC5-CBC-Parameters IDENTIFIED BY rc5-CBC-PAD}, ... }
SupportingAlgorithms ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1} | {OCTET STRING (SIZE(8)) IDENTIFIED BY desCBC} | {OCTET STRING (SIZE(8)) IDENTIFIED BY des-EDE3-CBC} | {RC2-CBC-Parameter IDENTIFIED BY rc2CBC} | {RC5-CBC-Parameters IDENTIFIED BY rc5-CBC-PAD}, ... }
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
desCBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7} -- from OIW
desCBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7} -- from OIW
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
END
终止
Intellectual Property Considerations
知识产权考虑
RSA Security makes no patent claims on the general constructions described in this document, although specific underlying techniques may be covered. Among the underlying techniques, the RC5 encryption algorithm (Appendix B.2.4) is protected by U.S. Patents 5,724,428 [22] and 5,835,600 [23].
RSA Security未就本文档中描述的一般结构提出专利要求,尽管可能涉及特定的底层技术。在底层技术中,RC5加密算法(附录B.2.4)受美国专利5724428[22]和5835600[23]的保护。
RC2 and RC5 are trademarks of RSA Security.
RC2和RC5是RSA Security的商标。
License to copy this document is granted provided that it is identified as RSA Security Inc. Public-Key Cryptography Standards (PKCS) in all material mentioning or referencing this document.
只要在提及或引用本文档的所有材料中均标识为RSA Security Inc.公钥加密标准(PKCS),则授予复制本文档的许可证。
RSA Security makes no representations regarding intellectual property claims by other parties. Such determination is the responsibility of the user.
RSA Security不对其他方的知识产权主张作出任何陈述。此类确定由用户负责。
Revision history
修订历史
Versions 1.0-1.3
版本1.0-1.3
Versions 1.0-1.3 were distributed to participants in RSA Data Security Inc.'s Public-Key Cryptography Standards meetings in February and March 1991.
版本1.0-1.3于1991年2月和3月分发给RSA Data Security Inc.公钥加密标准会议的与会者。
Version 1.4
版本1.4
Version 1.4 was part of the June 3, 1991 initial public release of PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-20.
版本1.4是1991年6月3日PKCS首次公开发布的一部分。版本1.4发布为NIST/OSI实施者研讨会文件SEC-SIG-91-20。
Version 1.5
版本1.5
Version 1.5 incorporated several editorial changes, including updates to the references and the addition of a revision history.
版本1.5包含了一些编辑性修改,包括对参考文件的更新和添加修订历史记录。
Version 2.0
版本2.0
Version 2.0 incorporates major editorial changes in terms of the document structure, and introduces the PBES2 encryption scheme, the PBMAC1 message authentication scheme, and independent password-based key derivation functions. This version continues to support the encryption process in version 1.5.
版本2.0在文档结构方面进行了重大的编辑更改,并引入了PBES2加密方案、PBMAC1消息身份验证方案和独立的基于密码的密钥派生功能。此版本继续支持1.5版中的加密过程。
References
工具书类
[1] American National Standard X9.52 - 1998, Triple Data Encryption Algorithm Modes of Operation. Working draft, Accredited Standards Committee X9, July 27, 1998.
[1] 美国国家标准X9.52-1998,三重数据加密算法操作模式。1998年7月27日认证标准委员会X9工作草案。
[2] Baldwin, R. and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms", RFC 2040, October 1996.
[2] Baldwin,R.和R.Rivest,“RC5、RC5-CBC、RC5-CBC Pad和RC5-CTS算法”,RFC 2040,1996年10月。
[3] Balenson, D., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, February 1993.
[3] Balenson,D.,“因特网电子邮件的隐私增强:第三部分:算法、模式和标识符”,RFC 1423,1993年2月。
[4] S.M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the 1992 IEEE Computer Society Conference on Research in Security and Privacy, pages 72-84, IEEE Computer Society, 1992.
[4] 贝洛文先生和梅里特先生。加密密钥交换:基于密码的协议可防止字典攻击。1992年IEEE计算机学会安全和隐私研究会议记录,第72-84页,IEEE计算机学会,1992年。
[5] D. Jablon. Strong password-only authenticated key exchange. ACM Computer Communications Review, October 1996.
[5] 贾布伦。强密码仅验证密钥交换。ACM计算机通信评论,1996年10月。
[6] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, April 1992.
[6] Kaliski,B.,“MD2消息摘要算法”,RFC 1319,1992年4月。
[7] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[7] Krawczyk,H.,Bellare,M.和R.Canetti,“HMAC:用于消息身份验证的键控哈希”,RFC2104,1997年2月。
[8] Robert Morris and Ken Thompson. Password security: A case history. Communications of the ACM, 22(11):594-597, November 1979.
[8] 罗伯特·莫里斯和肯·汤普森。密码安全:一个案例历史。ACM的来文,22(11):594-597,1979年11月。
[9] ISO/IEC 8824-1:1995: Information technology - Abstract Syntax Notation One (ASN.1) - Specification of basic notation. 1995.
[9] ISO/IEC 8824-1:1995:信息技术-抽象语法符号1(ASN.1)-基本符号规范。1995
[10] ISO/IEC 8824-1:1995/Amd.1:1995 Information technology - Abstract Syntax Notation One (ASN.1) - Specification of basic notation - Amendment 1 - Rules of extensibility. 1995.
[10] ISO/IEC 8824-1:1995/Amd.1:1995信息技术——抽象语法符号一(ASN.1)——基本符号规范——修改件1——可扩展性规则。1995
[11] ISO/IEC 8824-2:1995 Information technology - Abstract Syntax Notation One (ASN.1) - Information object specification. 1995.
[11] ISO/IEC 8824-2:1995信息技术-抽象语法符号1(ASN.1)-信息对象规范。1995
[12] ISO/IEC 8824-2:1995/Amd.1:1995 Information technology - Abstract Syntax Notation One (ASN.1) - Information object specification - Amendment 1 - Rules of extensibility. 1995.
[12] ISO/IEC 8824-2:1995/Amd.1:1995信息技术——抽象语法符号1(ASN.1)——信息对象规范——修改件1——可扩展性规则。1995
[13] ISO/IEC 8824-3:1995 Information technology - Abstract Syntax Notation One (ASN.1) - Constraint specification. 1995.
[13] ISO/IEC 8824-3:1995信息技术-抽象语法符号1(ASN.1)-约束规范。1995
[14] ISO/IEC 8824-4:1995 Information technology - Abstract Syntax Notation One (ASN.1) - Parameterization of ASN.1 specifications. 1995.
[14] ISO/IEC 8824-4:1995信息技术-抽象语法符号1(ASN.1)-ASN.1规范的参数化。1995
[15] National Institute of Standards and Technology (NIST). FIPS PUB 46-2: Data Encryption Standard. December 30, 1993.
[15] 国家标准与技术研究所(NIST)。FIPS PUB 46-2:数据加密标准。1993年12月30日。
[16] National Institute of Standards and Technology (NIST). FIPS PUB 81: DES Modes of Operation. December 2, 1980.
[16] 国家标准与技术研究所(NIST)。FIPS PUB 81:DES操作模式。1980年12月2日。
[17] National Institute of Standards and Technology (NIST). FIPS PUB 112: Password Usage. May 30, 1985.
[17] 国家标准与技术研究所(NIST)。FIPS PUB 112:密码使用。1985年5月30日。
[18] National Institute of Standards and Technology (NIST). FIPS PUB 180-1: Secure Hash Standard. April 1994.
[18] 国家标准与技术研究所(NIST)。FIPS PUB 180-1:安全哈希标准。1994年4月。
[19] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[19] Rivest,R.,“MD5消息摘要算法”,RFC1321,1992年4月。
[20] R.L. Rivest. The RC5 encryption algorithm. In Proceedings of the Second International Workshop on Fast Software Encryption, pages 86-96, Springer-Verlag, 1994.
[20] 里维斯特。RC5加密算法。《第二届快速软件加密国际研讨会论文集》,第86-96页,Springer Verlag,1994年。
[21] Rivest, R., "A Description of the RC2(r) Encryption Algorithm", RFC 2268, March 1998.
[21] Rivest,R.,“RC2(R)加密算法的描述”,RFC 2268,1998年3月。
[22] R.L. Rivest. Block-Encryption Algorithm with Data-Dependent Rotations. U.S. Patent No. 5,724,428, March 3, 1998.
[22] 里维斯特。具有数据相关旋转的块加密算法。美国专利号5724428,1998年3月3日。
[23] R.L. Rivest. Block Encryption Algorithm with Data-Dependent Rotations. U.S. Patent No. 5,835,600, November 10, 1998.
[23] 里维斯特。具有数据相关旋转的块加密算法。美国专利号5835600,1998年11月10日。
[24] RSA Laboratories. PKCS #5: Password-Based Encryption Standard. Version 1.5, November 1993.
[24] RSA实验室。PKCS#5:基于密码的加密标准。1.5版,1993年11月。
[25] RSA Laboratories. PKCS #8: Private-Key Information Syntax Standard. Version 1.2, November 1993.
[25] RSA实验室。PKCS#8:私钥信息语法标准。1.2版,1993年11月。
[26] T. Wu. The Secure Remote Password protocol. In Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, pages 97-111, Internet Society, 1998.
[26] 吴先生。安全远程密码协议。1998年互联网协会网络和分布式系统安全研讨会论文集,第97-111页,互联网协会,1998年。
[27] Yergeau, F., "UTF-8, a transformation format of ISO 10646", RFC 2279, January 1998.
[27] “UTF-8,ISO 10646的转换格式”,RFC 2279,1998年1月。
Contact Information & About PKCS
联系信息&关于PKCS
The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptography. First published in 1991 as a result of meetings with a small group of early adopters of public-key technology, the PKCS documents have become widely referenced and implemented. Contributions from the PKCS series have become part of many formal and de facto standards, including ANSI X9 documents, PKIX, SET, S/MIME, and SSL.
公钥加密标准是RSA实验室与全球安全系统开发人员合作制定的规范,旨在加速公钥加密的部署。PKCS文件于1991年首次出版,是与一小群早期采用公钥技术的人举行会议的结果。PKCS文件已被广泛引用和实施。PKCS系列的贡献已成为许多正式和事实标准的一部分,包括ANSI X9文档、PKIX、SET、S/MIME和SSL。
Further development of PKCS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, contact:
通过邮件列表讨论和偶尔的研讨会进一步开发PKCS,欢迎提出改进建议。有关详细信息,请联系:
PKCS Editor RSA Laboratories 20 Crosby Drive Bedford, MA 01730 USA pkcs-editor@rsasecurity.com http://www.rsalabs.com/pkcs/
PKCS编辑器RSA实验室美国马萨诸塞州贝德福德克罗斯比大道20号PKCS 01730-editor@rsasecurity.com http://www.rsalabs.com/pkcs/
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2000). All Rights Reserved.
版权所有(C)互联网协会(2000年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。