Network Working Group                                         K. Raeburn
Request for Comments: 3962                                           MIT
Category: Standards Track                                  February 2005
        
Network Working Group                                         K. Raeburn
Request for Comments: 3962                                           MIT
Category: Standards Track                                  February 2005
        

Advanced Encryption Standard (AES) Encryption for Kerberos 5

Kerberos 5的高级加密标准(AES)加密

Status of This Memo

关于下段备忘

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

The United States National Institute of Standards and Technology (NIST) has chosen a new Advanced Encryption Standard (AES), which is significantly faster and (it is believed) more secure than the old Data Encryption Standard (DES) algorithm. This document is a specification for the addition of this algorithm to the Kerberos cryptosystem suite.

美国国家标准与技术研究所(NIST)选择了一种新的高级加密标准(AES),该标准比旧的数据加密标准(DES)算法更快(据信)更安全。本文档是将此算法添加到Kerberos密码系统套件的规范。

1. Introduction
1. 介绍

This document defines encryption key and checksum types for Kerberos 5 using the AES algorithm recently chosen by NIST. These new types support 128-bit block encryption and key sizes of 128 or 256 bits.

本文档使用NIST最近选择的AES算法定义Kerberos 5的加密密钥和校验和类型。这些新类型支持128位块加密和128或256位的密钥大小。

Using the "simplified profile" of [KCRYPTO], we can define a pair of encryption and checksum schemes. AES is used with ciphertext stealing to avoid message expansion, and SHA-1 [SHA1] is the associated checksum function.

我们可以使用一对简化的“校验和”模式定义“校验和”。AES与密文窃取一起使用以避免消息扩展,SHA-1[SHA1]是相关的校验和函数。

2. Conventions used in this Document
2. 本文件中使用的公约

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [KEYWORDS].

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照BCP 14、RFC 2119[关键词]中的描述进行解释。

3. Protocol Key Representation
3. 协议密钥表示

The profile in [KCRYPTO] treats keys and random octet strings as conceptually different. But since the AES key space is dense, we can use any bit string of appropriate length as a key. We use the byte representation for the key described in [AES], where the first bit of the bit string is the high bit of the first byte of the byte string (octet string) representation.

[KCRYPTO]中的配置文件将键和随机八位组字符串视为概念上的不同。但由于AES密钥空间密集,我们可以使用任何适当长度的位字符串作为密钥。我们使用[AES]中描述的键的字节表示法,其中位字符串的第一位是字节字符串(八位字符串)表示法的第一个字节的高位。

4. Key Generation from Pass Phrases or Random Data
4. 从密码短语或随机数据生成密钥

Given the above format for keys, we can generate keys from the appropriate amounts of random data (128 or 256 bits) by simply copying the input string.

给定上述密钥格式,我们可以通过复制输入字符串从适当数量的随机数据(128或256位)生成密钥。

To generate an encryption key from a pass phrase and salt string, we use the PBKDF2 function from PKCS #5 v2.0 ([PKCS5]), with parameters indicated below, to generate an intermediate key (of the same length as the desired final key), which is then passed into the DK function with the 8-octet ASCII string "kerberos" as is done for des3-cbc-hmac-sha1-kd in [KCRYPTO]. (In [KCRYPTO] terms, the PBKDF2 function produces a "random octet string", hence the application of the random-to-key function even though it's effectively a simple identity operation.) The resulting key is the user's long-term key for use with the encryption algorithm in question.

为了从密码短语和salt字符串生成加密密钥,我们使用PKCS#5 v2.0([PKCS5])中的PBKDF2函数(参数如下所示)生成一个中间密钥(长度与所需的最终密钥相同),然后使用8位ASCII字符串“kerberos”将其传递到DK函数中与[KCRYPTO]中的des3-cbc-hmac-sha1-kd相同。(在[KCRYPTO]术语中,PBKDF2函数产生一个“随机八位组字符串”,因此即使它实际上是一个简单的身份操作,也可以应用随机到密钥函数。)生成的密钥是用户的长期密钥,用于相关的加密算法。

   tkey = random2key(PBKDF2(passphrase, salt, iter_count, keylength))
   key = DK(tkey, "kerberos")
        
   tkey = random2key(PBKDF2(passphrase, salt, iter_count, keylength))
   key = DK(tkey, "kerberos")
        

The pseudorandom function used by PBKDF2 will be a SHA-1 HMAC of the passphrase and salt, as described in Appendix B.1 to PKCS#5.

PBKDF2使用的伪随机函数将是密码短语和salt的SHA-1 HMAC,如PKCS#5附录B.1所述。

The number of iterations is specified by the string-to-key parameters supplied. The parameter string is four octets indicating an unsigned number in big-endian order. This is the number of iterations to be performed. If the value is 00 00 00 00, the number of iterations to be performed is 4,294,967,296 (2**32). (Thus the minimum expressible iteration count is 1.)

迭代次数由提供的关键参数的字符串指定。参数字符串是四个八位字节,表示大端顺序的无符号数。这是要执行的迭代次数。如果该值为00,则要执行的迭代次数为4294967296(2**32)。(因此,最小可表达迭代计数为1。)

For environments where slower hardware is the norm, implementations of protocols such as Kerberos may wish to limit the number of iterations to prevent a spoofed response supplied by an attacker from consuming lots of client-side CPU time; if such a limit is implemented, it SHOULD be no less than 50,000. Even for environments with fast hardware, 4 billion iterations is likely to take a fairly long time; much larger bounds might still be enforced, and it might be wise for implementations to permit interruption of this operation by the user if the environment allows for it.

对于通常使用较慢硬件的环境,Kerberos等协议的实现可能希望限制迭代次数,以防止攻击者提供的伪造响应占用大量客户端CPU时间;如果实施该限制,则不应低于50000。即使对于具有快速硬件的环境,40亿次迭代也可能需要相当长的时间;更大的界限可能仍然会被强制执行,如果环境允许,实现允许用户中断此操作可能是明智的。

If the string-to-key parameters are not supplied, the value used is 00 00 10 00 (decimal 4,096, indicating 4,096 iterations).

如果未提供键参数的字符串,则使用的值为00 10 00(十进制4096,表示4096次迭代)。

Note that this is not a requirement, nor even a recommendation, for this value to be used in "optimistic preauthentication" (e.g., attempting timestamp-based preauthentication using the user's long-term key without having first communicated with the KDC) in the absence of additional information, or as a default value for sites to use for their principals' long-term keys in their Kerberos database. It is simply the interpretation of the absence of the string-to-key parameter field when the KDC has had an opportunity to provide it.

注意,在没有额外信息的情况下,这不是在“乐观预认证”(例如,使用用户的长期密钥尝试基于时间戳的预认证,而没有首先与KDC通信)中使用该值的要求,甚至不是建议,或者作为站点在Kerberos数据库中用于其主体的长期密钥的默认值。当KDC有机会提供字符串到键参数字段时,它只是对缺少该字段的解释。

Sample test vectors are given in Appendix B.

附录B中给出了样本测试向量。

5. Ciphertext Stealing
5. 密文窃取

Cipher block chaining is used to encrypt messages, with the initial vector stored in the cipher state. Unlike previous Kerberos cryptosystems, we use ciphertext stealing to handle the possibly partial final block of the message.

密码块链用于加密消息,初始向量存储在密码状态。与以前的Kerberos密码系统不同,我们使用密文窃取来处理消息的可能部分最终块。

Ciphertext stealing is described on pages 195-196 of [AC], and section 8 of [RC5]; it has the advantage that no message expansion is done during encryption of messages of arbitrary sizes as is typically done in CBC mode with padding. Some errata for [RC5] are listed in Appendix A and are considered part of the ciphertext stealing technique as used here.

[AC]第195-196页和[RC5]第8节描述了密文窃取;它的优点是,在加密任意大小的消息时不会进行消息扩展,这通常是在带填充的CBC模式下进行的。附录A中列出了[RC5]的一些勘误表,这些勘误表被视为此处使用的密文窃取技术的一部分。

Ciphertext stealing, as defined in [RC5], assumes that more than one block of plain text is available. If exactly one block is to be encrypted, that block is simply encrypted with AES (also known as ECB mode). Input smaller than one block is padded at the end to one block; the values of the padding bits are unspecified. (Implementations MAY use all-zero padding, but protocols MUST NOT rely on the result being deterministic. Implementations MAY use random padding, but protocols MUST NOT rely on the result not being deterministic. Note that in most cases, the Kerberos encryption profile will add a random confounder independent of this padding.)

[RC5]中定义的密文窃取假设存在多个纯文本块。如果只需加密一个块,则该块只需使用AES(也称为ECB模式)进行加密。小于一个块的输入在末尾填充为一个块;未指定填充位的值。(实现可以使用所有零填充,但协议不得依赖于确定性的结果。实现可以使用随机填充,但协议不得依赖于非确定性的结果。请注意,在大多数情况下,Kerberos加密配置文件将添加与此填充无关的随机混淆。)

For consistency, ciphertext stealing is always used for the last two blocks of the data to be encrypted, as in [RC5]. If the data length is a multiple of the block size, this is equivalent to plain CBC mode with the last two ciphertext blocks swapped.

为了一致性,密文窃取总是用于最后两个要加密的数据块,如[RC5]中所述。如果数据长度是块大小的倍数,这相当于交换最后两个密文块的纯CBC模式。

A test vector is given in Appendix B.

附录B中给出了测试向量。

The initial vector carried out from one encryption for use in a subsequent encryption is the next-to-last block of the encryption output; this is the encrypted form of the last plaintext block. When decrypting, the next-to-last block of the supplied ciphertext is carried forward as the next initial vector. If only one ciphertext block is available (decrypting one block, or encrypting one block or less), then that one block is carried out instead.

从一个加密执行以用于后续加密的初始向量是加密输出的下一个到最后一个块;这是最后一个明文块的加密形式。解密时,所提供密文的下一个到最后一个块将作为下一个初始向量向前推进。如果只有一个密文块可用(解密一个块,或加密一个或更少的块),则执行该块。

6. Kerberos Algorithm Profile Parameters
6. Kerberos算法配置文件参数

This is a summary of the parameters to be used with the simplified algorithm profile described in [KCRYPTO]:

这是[KCRYPTO]中所述简化算法配置文件中使用的参数摘要:

  +--------------------------------------------------------------------+
  |               protocol key format        128- or 256-bit string    |
  |                                                                    |
  |            string-to-key function        PBKDF2+DK with variable   |
  |                                          iteration count (see      |
  |                                          above)                    |
  |                                                                    |
  |  default string-to-key parameters        00 00 10 00               |
  |                                                                    |
  |        key-generation seed length        key size                  |
  |                                                                    |
  |            random-to-key function        identity function         |
  |                                                                    |
  |                  hash function, H        SHA-1                     |
  |                                                                    |
  |               HMAC output size, h        12 octets (96 bits)       |
  |                                                                    |
  |             message block size, m        1 octet                   |
  |                                                                    |
  |  encryption/decryption functions,        AES in CBC-CTS mode       |
  |  E and D                                 (cipher block size 16     |
  |                                          octets), with next-to-    |
  |                                          last block (last block    |
  |                                          if only one) as CBC-style |
  |                                          ivec                      |
  +--------------------------------------------------------------------+
        
  +--------------------------------------------------------------------+
  |               protocol key format        128- or 256-bit string    |
  |                                                                    |
  |            string-to-key function        PBKDF2+DK with variable   |
  |                                          iteration count (see      |
  |                                          above)                    |
  |                                                                    |
  |  default string-to-key parameters        00 00 10 00               |
  |                                                                    |
  |        key-generation seed length        key size                  |
  |                                                                    |
  |            random-to-key function        identity function         |
  |                                                                    |
  |                  hash function, H        SHA-1                     |
  |                                                                    |
  |               HMAC output size, h        12 octets (96 bits)       |
  |                                                                    |
  |             message block size, m        1 octet                   |
  |                                                                    |
  |  encryption/decryption functions,        AES in CBC-CTS mode       |
  |  E and D                                 (cipher block size 16     |
  |                                          octets), with next-to-    |
  |                                          last block (last block    |
  |                                          if only one) as CBC-style |
  |                                          ivec                      |
  +--------------------------------------------------------------------+
        

Using this profile with each key size gives us two each of encryption and checksum algorithm definitions.

将此配置文件与每个密钥大小一起使用,可以分别为我们提供两种加密和校验和算法定义。

7. Assigned Numbers
7. 指定号码

The following encryption type numbers are assigned:

分配了以下加密类型编号:

  +--------------------------------------------------------------------+
  |                         encryption types                           |
  +--------------------------------------------------------------------+
  |         type name                  etype value          key size   |
  +--------------------------------------------------------------------+
  |   aes128-cts-hmac-sha1-96              17                 128      |
  |   aes256-cts-hmac-sha1-96              18                 256      |
  +--------------------------------------------------------------------+
        
  +--------------------------------------------------------------------+
  |                         encryption types                           |
  +--------------------------------------------------------------------+
  |         type name                  etype value          key size   |
  +--------------------------------------------------------------------+
  |   aes128-cts-hmac-sha1-96              17                 128      |
  |   aes256-cts-hmac-sha1-96              18                 256      |
  +--------------------------------------------------------------------+
        

The following checksum type numbers are assigned:

分配了以下校验和类型编号:

  +--------------------------------------------------------------------+
  |                          checksum types                            |
  +--------------------------------------------------------------------+
  |        type name                 sumtype value           length    |
  +--------------------------------------------------------------------+
  |    hmac-sha1-96-aes128                15                   96      |
  |    hmac-sha1-96-aes256                16                   96      |
  +--------------------------------------------------------------------+
        
  +--------------------------------------------------------------------+
  |                          checksum types                            |
  +--------------------------------------------------------------------+
  |        type name                 sumtype value           length    |
  +--------------------------------------------------------------------+
  |    hmac-sha1-96-aes128                15                   96      |
  |    hmac-sha1-96-aes256                16                   96      |
  +--------------------------------------------------------------------+
        

These checksum types will be used with the corresponding encryption types defined above.

这些校验和类型将与上面定义的相应加密类型一起使用。

8. Security Considerations
8. 安全考虑

This new algorithm has not been around long enough to receive the decades of intense analysis that DES has received. It is possible that some weakness exists that has not been found by the cryptographers analyzing these algorithms before and during the AES selection process.

这种新算法还没有出现足够长的时间来接受DES几十年来的密集分析。可能存在一些密码学家在AES选择过程之前和期间分析这些算法时未发现的弱点。

The use of the HMAC function has drawbacks for certain pass phrase lengths. For example, a pass phrase longer than the hash function block size (64 bytes, for SHA-1) is hashed to a smaller size (20 bytes) before applying the main HMAC algorithm. However, entropy is generally sparse in pass phrases, especially in long ones, so this may not be a problem in the rare cases of users with long pass phrases.

对于某些通行短语长度,使用HMAC函数有缺点。例如,在应用主HMAC算法之前,将比哈希函数块大小(SHA-1为64字节)长的密码短语哈希为较小的大小(20字节)。然而,熵在传递短语中通常是稀疏的,特别是在长传递短语中,因此在具有长传递短语的用户的罕见情况下,这可能不是问题。

Also, generating a 256-bit key from a pass phrase of any length may be deceptive, as the effective entropy in pass-phrase-derived key cannot be nearly that large given the properties of the string-to-key function described here.

此外,从任意长度的密码短语生成256位密钥可能具有欺骗性,因为鉴于这里描述的字符串到密钥函数的特性,密码短语派生密钥中的有效熵不能接近那么大。

The iteration count in PBKDF2 appears to be useful primarily as a constant multiplier for the amount of work required for an attacker using brute-force methods. Unfortunately, it also multiplies, by the same amount, the work needed by a legitimate user with a valid password. Thus the work factor imposed on an attacker (who may have many powerful workstations at his disposal) must be balanced against the work factor imposed on the legitimate user (who may have a PDA or cell phone); the available computing power on either side increases as time goes on, as well. A better way to deal with the brute-force attack is through preauthentication mechanisms that provide better protection of the user's long-term key. Use of such mechanisms is out of the scope of this document.

PBKDF2中的迭代计数主要作为攻击者使用蛮力方法所需工作量的常数倍增。不幸的是,它还以同样的数量增加了合法用户使用有效密码所需的工作量。因此,攻击者(可能拥有许多功能强大的工作站)的工作因素必须与合法用户(可能拥有PDA或手机)的工作因素相平衡;随着时间的推移,两边的可用计算能力也会增加。处理暴力攻击的更好方法是通过预验证机制,该机制可以更好地保护用户的长期密钥。此类机制的使用超出了本文件的范围。

If a site does wish to use this means of protection against a brute-force attack, the iteration count should be chosen based on the facilities available to both attacker and legitimate user, and the amount of work the attacker should be required to perform to acquire the key or password.

如果站点确实希望使用这种保护手段抵御暴力攻击,则应根据攻击者和合法用户可用的设施以及攻击者获取密钥或密码所需的工作量来选择迭代次数。

As an example:

例如:

The author's tests on a 2GHz Pentium 4 system indicated that in one second, nearly 90,000 iterations could be done, producing a 256-bit key. This was using the SHA-1 assembly implementation from OpenSSL, and a pre-release version of the PBKDF2 code for MIT's Kerberos package, on a single system. No attempt was made to do multiple hashes in parallel, so we assume an attacker doing so can probably do at least 100,000 iterations per second -- rounded up to 2**17, for ease of calculation. For simplicity, we also assume the final AES encryption step costs nothing.

作者在2GHz奔腾4系统上的测试表明,在一秒钟内,可以完成近90000次迭代,生成256位密钥。这是在单个系统上使用OpenSSL的SHA-1程序集实现,以及MIT Kerberos包的PBKDF2代码的预发布版本。没有尝试并行执行多个哈希,因此我们假设攻击者这样做可能每秒至少可以执行100000次迭代——为了便于计算,四舍五入到2**17。为简单起见,我们还假设最终的AES加密步骤成本为零。

Paul Leach estimates [LEACH] that a password-cracking dictionary may have on the order of 2**21 entries, with capitalization, punctuation, and other variations contributing perhaps a factor of 2**11, giving a ballpark estimate of 2**32.

Paul Leach估计[Leach]破解密码的字典可能有2**21个条目,大写、标点符号和其他变体可能是2**11的一个因素,给出了2**32的大致估计。

Thus, for a known iteration count N and a known salt string, an attacker with some number of computers comparable to the author's would need roughly N*2**15 CPU seconds to convert the entire dictionary plus variations into keys.

因此,对于已知的迭代计数N和已知的salt字符串,拥有与作者相当数量计算机的攻击者大约需要N*2**15 CPU秒才能将整个字典加上变体转换为密钥。

An attacker using a dozen such computers for a month would have roughly 2**25 CPU seconds available. So using 2**12 (4,096) iterations would mean an attacker with a dozen such computers dedicated to a brute-force attack against a single key (actually, any password-derived keys sharing the same salt and iteration

一个攻击者在一个月内使用十几台这样的计算机将有大约2**25 CPU秒的可用时间。因此,使用2**12(4096)次迭代意味着攻击者拥有十几台这样的计算机,专门对单个密钥(实际上,任何密码派生密钥共享相同的salt和迭代)进行暴力攻击

count) would process all the variations of the dictionary entries in four months and, on average, would likely find the user's password in two months.

count)将在四个月内处理字典条目的所有变化,平均而言,可能在两个月内找到用户的密码。

Thus, if this form of attack is of concern, users should be required to change their passwords every few months, and an iteration count a few orders of magnitude higher should be chosen. Perhaps several orders of magnitude, as many users will tend to use the shorter and simpler passwords (to the extent they can, given a site's password quality checks) that the attacker would likely try first.

因此,如果这种形式的攻击值得关注,则应要求用户每隔几个月更改一次密码,并应选择更高几个数量级的迭代计数。可能是几个数量级,因为许多用户倾向于使用攻击者可能首先尝试的更短、更简单的密码(在给定站点密码质量检查的情况下,尽可能使用)。

Since this estimate is based on currently available CPU power, the iteration counts used for this mode of defense should be increased over time, at perhaps 40%-60% each year or so.

由于这一估计是基于当前可用的CPU能力,因此这种防御模式所使用的迭代计数应该随着时间的推移而增加,每年大约增加40%-60%。

Note that if the attacker has a large amount of storage available, intermediate results could be cached, saving a lot of work for the next attack with the same salt and a greater number of iterations than had been run at the point where the intermediate results were saved. Thus, it would be wise to generate a new random salt string when passwords are changed. The default salt string, derived from the principal name, only protects against the use of one dictionary of keys against multiple users.

请注意,如果攻击者有大量可用存储,则可以缓存中间结果,从而为使用相同salt的下一次攻击节省大量工作,并且比在保存中间结果时运行的迭代次数更多。因此,在更改密码时生成一个新的随机salt字符串是明智的。从主体名称派生的默认salt字符串仅防止对多个用户使用一个密钥字典。

If the PBKDF2 iteration count can be spoofed by an intruder on the network, and the limit on the accepted iteration count is very high, the intruder may be able to introduce a form of denial of service attack against the client by sending a very high iteration count, causing the client to spend a great deal of CPU time computing an incorrect key.

如果网络上的入侵者可以欺骗PBKDF2迭代计数,并且对接受的迭代计数的限制非常高,入侵者可能会通过发送非常高的迭代计数对客户端发起一种形式的拒绝服务攻击,导致客户端花费大量CPU时间计算错误的密钥。

An intruder spoofing the KDC reply, providing a low iteration count and reading the client's reply from the network, may be able to reduce the work needed in the brute-force attack outlined above. Thus, implementations may seek to enforce lower bounds on the number of iterations that will be used.

攻击者欺骗KDC回复,提供低迭代次数并从网络读取客户端回复,可能能够减少上述暴力攻击所需的工作量。因此,实现可能会寻求强制执行将要使用的迭代次数的下限。

Since threat models and typical end-user equipment will vary widely from site to site, allowing site-specific configuration of such bounds is recommended.

由于威胁模型和典型的最终用户设备因现场而异,建议允许对此类边界进行现场特定配置。

Any benefit against other attacks specific to the HMAC or SHA-1 algorithms is probably achieved with a fairly small number of iterations.

针对HMAC或SHA-1算法特定的其他攻击的任何好处都可能通过相当少的迭代次数实现。

In the "optimistic preauthentication" case mentioned in section 3, the client may attempt to produce a key without first communicating with the KDC. If the client has no additional information, it can only guess as to the iteration count to be used. Even such heuristics as "iteration count X was used to acquire tickets for the same principal only N hours ago" can be wrong. Given the recommendation above for increasing the iteration counts used over time, it is impossible to recommend any specific default value for this case; allowing site-local configuration is recommended. (If the lower and upper bound checks described above are implemented, the default count for optimistic preauthentication should be between those bounds.)

在第3节中提到的“乐观预认证”情况下,客户机可以尝试在不首先与KDC通信的情况下生成密钥。如果客户机没有其他信息,它只能猜测要使用的迭代计数。即使是“迭代计数X仅在N小时前用于获取同一主体的票证”这样的启发式方法也可能是错误的。鉴于上述关于随时间增加使用的迭代次数的建议,不可能为这种情况推荐任何特定的默认值;建议允许站点本地配置。(如果执行了上述下限和上限检查,乐观预验证的默认计数应介于这些边界之间。)

Ciphertext stealing mode, as it requires no additional padding in most cases, will reveal the exact length of each message being encrypted rather than merely bounding it to a small range of possible lengths as in CBC mode. Such obfuscation should not be relied upon at higher levels in any case; if the length must be obscured from an outside observer, this should be done by intentionally varying the length of the message to be encrypted.

密文窃取模式,因为它在大多数情况下不需要额外的填充,将显示被加密的每条消息的确切长度,而不仅仅是像CBC模式那样将其限制在一个可能的长度范围内。在任何情况下,此类混淆都不应依赖于更高级别;如果必须使外部观察者看不到长度,则应通过有意改变要加密的消息的长度来实现。

9. IANA Considerations
9. IANA考虑

Kerberos encryption and checksum type values used in section 7 were previously reserved in [KCRYPTO] for the mechanisms defined in this document. The registries have been updated to list this document as the reference.

第7节中使用的Kerberos加密和校验和类型值以前在[KCRYPTO]中为本文档中定义的机制保留。登记处已更新,将本文件列为参考文件。

10. Acknowledgements
10. 致谢

Thanks to John Brezak, Gerardo Diaz Cuellar, Ken Hornstein, Paul Leach, Marcus Watts, Larry Zhu, and others for feedback on earlier versions of this document.

感谢John Brezak、Gerardo Diaz Cuellar、Ken Hornstein、Paul Leach、Marcus Watts、Larry Zhu和其他人对本文档早期版本的反馈。

A. Errata for RFC 2040 Section 8

A.RFC 2040第8节勘误表

(Copied from the RFC Editor's errata web site on July 8, 2004.)

(2004年7月8日从RFC编辑的勘误表网站复制)

   Reported By: Bob Baldwin; baldwin@plusfive.com
   Date: Fri, 26 Mar 2004 06:49:02 -0800
        
   Reported By: Bob Baldwin; baldwin@plusfive.com
   Date: Fri, 26 Mar 2004 06:49:02 -0800
        

In Section 8, Description of RC5-CTS, of the encryption method, it says:

在第8节RC5-CTS加密方法说明中,说明如下:

1. Exclusive-or Pn-1 with the previous ciphertext block, Cn-2, to create Xn-1.

1. 与先前的密文块Cn-2进行异或Pn-1,以创建Xn-1。

It should say:

它应该说:

1. Exclusive-or Pn-1 with the previous ciphertext block, Cn-2, to create Xn-1. For short messages where Cn-2 does not exist, use IV.

1. 与先前的密文块Cn-2进行异或Pn-1,以创建Xn-1。对于不存在Cn-2的短消息,请使用IV。

   Reported By: Bob Baldwin; baldwin@plusfive.com
   Date: Mon, 22 Mar 2004 20:26:40 -0800
        
   Reported By: Bob Baldwin; baldwin@plusfive.com
   Date: Mon, 22 Mar 2004 20:26:40 -0800
        

In Section 8, first paragraph, second sentence says:

第8节第一段第二句说:

This mode handles any length of plaintext and produces ciphertext whose length matches the plaintext length.

此模式处理任意长度的明文,并生成长度与明文长度匹配的密文。

In Section 8, first paragraph, second sentence should read:

第8节第一段第二句应改为:

This mode handles any length of plaintext longer than one block and produces ciphertext whose length matches the plaintext length.

此模式处理超过一个块的任何长度的明文,并生成长度与明文长度匹配的密文。

In Section 8, step 6 of the decryption method says:

在第8节中,解密方法的步骤6说明:

6. Decrypt En to create Pn-1.

6. 解密En以创建Pn-1。

In Section 8, step 6 of the decryption method should read:

在第8节中,解密方法的步骤6应为:

6. Decrypt En and exclusive-or with Cn-2 to create Pn-1. For short messages where Cn-2 does not exist, use the IV.

6. 使用Cn-2解密En和异或以创建Pn-1。对于不存在Cn-2的短消息,请使用IV。

B. Sample Test Vectors

B.样本测试向量

Sample values for the PBKDF2 HMAC-SHA1 string-to-key function are included below.

PBKDF2 HMAC-SHA1字符串到键函数的示例值如下所示。

Iteration count = 1 Pass phrase = "password" Salt = "ATHENA.MIT.EDUraeburn" 128-bit PBKDF2 output: cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 128-bit AES key: 42 26 3c 6e 89 f4 fc 28 b8 df 68 ee 09 79 9f 15 256-bit PBKDF2 output: cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 0a d1 f7 a0 4b b9 f3 a3 33 ec c0 e2 e1 f7 08 37 256-bit AES key: fe 69 7b 52 bc 0d 3c e1 44 32 ba 03 6a 92 e6 5b bb 52 28 09 90 a2 fa 27 88 39 98 d7 2a f3 01 61

迭代次数=1通过短语=“password”Salt=“ATHENA.MIT.EDUraeburn”128位PBKDF2输出:cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 15 128位AES密钥:42 26 3c 6e 89 f4 fc 28 b8 df 68 ee 09 79 9f 15 256位PBKDF2输出:cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 0a d1 f7 a0 4b f3 33 ec c0 e2 e1 f7 08 37 256位AES密钥:fe 69 7b 52 bc 0d 3c 44 ba 03 6a 92 e6 5b bb 52 28 09 90 a2 fa 27 8839 98 d7 2a f3 01 61

Iteration count = 2 Pass phrase = "password" Salt="ATHENA.MIT.EDUraeburn" 128-bit PBKDF2 output: 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d 128-bit AES key: c6 51 bf 29 e2 30 0a c2 7f a4 69 d6 93 bd da 13 256-bit PBKDF2 output: 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d a0 53 78 b9 32 44 ec 8f 48 a9 9e 61 ad 79 9d 86 256-bit AES key: a2 e1 6d 16 b3 60 69 c1 35 d5 e9 d2 e2 5f 89 61 02 68 56 18 b9 59 14 b4 67 c6 76 22 22 58 24 ff

迭代次数=2通过短语=“password”Salt=“ATHENA.MIT.EDUraeburn”128位PBKDF2输出:01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d 128位AES密钥:c6 51 bf 29 e2 30 A c2 7f a4 69 d6 93 bd da 13 256位PBKDF2输出:01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d a0 53 78 b9 32 44 ec 8f 48 a9 9e 61 ad 79 9d 86 256位AES密钥:a2 e1 6d 16 b3 60 69 c1 35 e9 d2 5f 89 02 56 b9 59 b4 67c6 76 22 58 24 ff

Iteration count = 1200 Pass phrase = "password" Salt = "ATHENA.MIT.EDUraeburn" 128-bit PBKDF2 output: 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b 128-bit AES key: 4c 01 cd 46 d6 32 d0 1e 6d be 23 0a 01 ed 64 2a 256-bit PBKDF2 output: 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b a7 e5 2d db c5 e5 14 2f 70 8a 31 e2 e6 2b 1e 13 256-bit AES key: 55 a6 ac 74 0a d1 7b 48 46 94 10 51 e1 e8 b0 a7 54 8d 93 b0 ab 30 a8 bc 3f f1 62 80 38 2b 8c 2a

迭代次数=1200 Pass phrase=“password”Salt=“ATHENA.MIT.EDUraeburn”128位PBKDF2输出:5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b 128位AES密钥:4c 01 cd 46 d6 32 d0 1e 6d be 23 0a 01 ed 64 2a 256位PBKDF2输出:5c 08 eb 61 fd f7 1e E 4e c3 cf 6b a1 f5 51 2b a7 e5 2d db c5 14 2f 70 8a 31 e2 2b 13 256位AES密钥:55 a6 ac 74 0a d1 7b 48 94 10 51 e1 e8 b0 54 8d ab 30 bc 3ff1 62 80 38 2b 8c 2a

Iteration count = 5 Pass phrase = "password" Salt=0x1234567878563412 128-bit PBKDF2 output: d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 128-bit AES key: e9 b2 3d 52 27 37 47 dd 5c 35 cb 55 be 61 9d 8e 256-bit PBKDF2 output: d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 3f 98 d2 03 e6 be 49 a6 ad f4 fa 57 4b 6e 64 ee 256-bit AES key: 97 a4 e7 86 be 20 d8 1a 38 2d 5e bc 96 d5 90 9c ab cd ad c8 7c a4 8f 57 45 04 15 9f 16 c3 6e 31 (This test is based on values given in [PECMS].)

迭代次数=5次传递短语=“密码”Salt=0x123456788563412 128位PBKDF2输出:d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 128位AES密钥:e9 b2 3d 52 27 37 dd 5c 35 cb 55 be 61 9d 8e 256位PBKDF2输出:d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 3f 98 d2 03 e6 a6 ad f4 fa 57 4b 64 ee 256位AES密钥:97 a4 e7 86 be 20 d8 1a 38 2d 5e bc 96 d5 90 9c abcd ad c8 7c a4 8f 57 45 04 15 9f 16 c3 6e 31(本测试基于[PECM]中给出的值。)

   Iteration count = 1200
   Pass phrase = (64 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt="pass phrase equals block size"
   128-bit PBKDF2 output:
       13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9
   128-bit AES key:
       59 d1 bb 78 9a 82 8b 1a a5 4e f9 c2 88 3f 69 ed
   256-bit PBKDF2 output:
       13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9
       c5 ec 59 f1 a4 52 f5 cc 9a d9 40 fe a0 59 8e d1
   256-bit AES key:
       89 ad ee 36 08 db 8b c7 1f 1b fb fe 45 94 86 b0
       56 18 b7 0c ba e2 20 92 53 4e 56 c5 53 ba 4b 34
        
   Iteration count = 1200
   Pass phrase = (64 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt="pass phrase equals block size"
   128-bit PBKDF2 output:
       13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9
   128-bit AES key:
       59 d1 bb 78 9a 82 8b 1a a5 4e f9 c2 88 3f 69 ed
   256-bit PBKDF2 output:
       13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9
       c5 ec 59 f1 a4 52 f5 cc 9a d9 40 fe a0 59 8e d1
   256-bit AES key:
       89 ad ee 36 08 db 8b c7 1f 1b fb fe 45 94 86 b0
       56 18 b7 0c ba e2 20 92 53 4e 56 c5 53 ba 4b 34
        
   Iteration count = 1200
   Pass phrase = (65 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt = "pass phrase exceeds block size"
   128-bit PBKDF2 output:
       9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61
   128-bit AES key:
       cb 80 05 dc 5f 90 17 9a 7f 02 10 4c 00 18 75 1d
   256-bit PBKDF2 output:
       9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61
       1a 8b 4d 28 26 01 db 3b 36 be 92 46 91 5e c8 2a
   256-bit AES key:
       d7 8c 5c 9c b8 72 a8 c9 da d4 69 7f 0b b5 b2 d2
       14 96 c8 2b eb 2c ae da 21 12 fc ee a0 57 40 1b
        
   Iteration count = 1200
   Pass phrase = (65 characters)
     "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
   Salt = "pass phrase exceeds block size"
   128-bit PBKDF2 output:
       9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61
   128-bit AES key:
       cb 80 05 dc 5f 90 17 9a 7f 02 10 4c 00 18 75 1d
   256-bit PBKDF2 output:
       9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61
       1a 8b 4d 28 26 01 db 3b 36 be 92 46 91 5e c8 2a
   256-bit AES key:
       d7 8c 5c 9c b8 72 a8 c9 da d4 69 7f 0b b5 b2 d2
       14 96 c8 2b eb 2c ae da 21 12 fc ee a0 57 40 1b
        

Iteration count = 50 Pass phrase = g-clef (0xf09d849e) Salt = "EXAMPLE.COMpianist" 128-bit PBKDF2 output: 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 128-bit AES key: f1 49 c1 f2 e1 54 a7 34 52 d4 3e 7f e6 2a 56 e5 256-bit PBKDF2 output: 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 e7 fe 37 a0 c4 1e 02 c2 81 ff 30 69 e1 e9 4f 52 256-bit AES key: 4b 6d 98 39 f8 44 06 df 1f 09 cc 16 6d b4 b8 3c 57 18 48 b7 84 a3 d6 bd c3 46 58 9a 3e 39 3f 9e

迭代计数=50次通过短语=g-clef(0xf09d849e)Salt=“EXAMPLE.COMpianist”128位PBKDF2输出:6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 128位AES密钥:f1 49 c1 f2 e1 54 a7 34 52 d4 3e 7f e6 2a 56 e5 256位PBKDF2输出:6b 9c f2 6d 45 5a 43 a5 b8 bb 27 6a 40 3b 39 e7 fe 37 a0 c4 1e 02 c2 81 ff 30 69 e1 e9 4f 52 256位AES密钥:4b 6d 98 f8 44 06 df 09 cc 16 6d b4 3c 57 18 48 b8 c3 bd46 58 9a 3e 39 3f 9e

Some test vectors for CBC with ciphertext stealing, using an initial vector of all-zero.

使用全零初始向量,对具有密文窃取的CBC进行一些测试向量。

AES 128-bit key: 0000: 63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69

AES 128位密钥:0000:63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69

IV: 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Input: 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 0010: 20 Output: 0000: c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f 0010: 97 Next IV: 0000: c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f

IV:0000:00:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00:00:49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 65 0010:20输出:0000:c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f 0010:97下一个IV:0000:c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f

IV: 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Input: 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 Output: 0000: fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22 0010: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 Next IV: 0000: fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22

IV:0000:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00:49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 0010:20 47 65 6 E 65 72 61 6c 20 47 61 75 27 73 20 00:fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef 22 0010:97 68 72 68 d6 ec c0 7b 25 e2 5e cf e5下一个IV:0000:fc 00 78 3e 0e fd b2 d4 45 d4 c8 ef 22

IV: 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Input: 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 Output: 0000: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 0010: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 Next IV: 0000: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8

IV:0000:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00:49 20 77 6f 75 6c 64 20 6c 69 6b 65 70 74 65 0010:20 47 65 65 65 72 61 C 20 47 61 75 27 73 20 43输出:0000:39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 0010:97 68 72 68 d6 ec c0 7b 25 e2 5e cf e5 84下一个IV:0000:39 31 25 a7 86 62 d5 be 7f cc 98 eb f5 cba8

IV: 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Input: 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 0020: 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c Output: 0000: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 0010: b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e 0020: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 Next IV: 0000: b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e

IV:0000:00:00 00 00 00 00 00 00 00 00 00 00 00 00 00:0000:49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 65 0010:20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 00:68 69 63 6b 65 6e 2c 20 70 6c 65 65 65 65 2c输出:0000:97 68 72 68 68 68 d6 ec c0 7b 25 e2 5e cf e5 84 0010:b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 38 02 9e 0020:3931 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 Next IV:0000:b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e

IV: 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Input: 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 0020: 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 Output: 0000: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 0010: 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 0020: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 Next IV: 0000: 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8

IV:0000:00:00 00 00 00 00 00 00 00 00 00 00 00 00 00:0000:49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 0010:20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 00 20:68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 2c 20:0000:97 68 72 68 68 68 d6 ec c0 7b 25 e2 5e cf e5 84 0010:9d ad 8b 96 c4 cd c0 03 bb a1 94 d8 0020:39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8下一个IV:0000:9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8

IV: 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Input: 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 0020: 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 0030: 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e Output: 0000: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 0010: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 0020: 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40 0030: 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 Next IV: 0000: 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40

IV:0000:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00输入:0000:49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 65 0010:20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 00 20:68 69 63 6b 65 6e 2c 20 70 6c 65 65 73 2c 20 0030:61 6e 64 20 77 6f 74 6e 20 73 6f 75 70 70 2 E输出:0000:97 68 72 68 68 68 d6 ec cc c0 7b 25 e2 cf e5 84 0010:39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 0020:48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40 0030:9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8下一个IV:0000:48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40

Normative References

规范性引用文件

[AC] Schneier, B., "Applied Cryptography", second edition, John Wiley and Sons, New York, 1996.

[AC]Schneier,B.,“应用密码学”,第二版,John Wiley and Sons,纽约,1996年。

[AES] National Institute of Standards and Technology, U.S. Department of Commerce, "Advanced Encryption Standard", Federal Information Processing Standards Publication 197, Washington, DC, November 2001.

[AES]美国商务部国家标准与技术研究所,“高级加密标准”,联邦信息处理标准出版物197,华盛顿特区,2001年11月。

[KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for Kerberos 5", RFC 3961, February 2005.

[KCRYPTO]Raeburn,K.,“Kerberos 5的加密和校验和规范”,RFC 3961,2005年2月。

[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[关键词]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[PKCS5] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, September 2000.

[PKCS5]Kaliski,B.,“PKCS#5:基于密码的加密规范2.0版”,RFC 28982000年9月。

[RC5] Baldwin, R. and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms", RFC 2040, October 1996.

[RC5]Baldwin,R.和R.Rivest,“RC5、RC5-CBC、RC5-CBC Pad和RC5-CTS算法”,RFC 2040,1996年10月。

[SHA1] National Institute of Standards and Technology, U.S. Department of Commerce, "Secure Hash Standard", Federal Information Processing Standards Publication 180-1, Washington, DC, April 1995.

[SHA1]美国商务部国家标准与技术研究所,“安全哈希标准”,联邦信息处理标准出版物180-1,华盛顿特区,1995年4月。

Informative References

资料性引用

[LEACH] Leach, P., email to IETF Kerberos working group mailing list, 5 May 2003, ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/2003-05.mail.

[LEACH]LEACH,P.,给IETF Kerberos工作组邮件列表的电子邮件,2003年5月5日,ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/2003-05.mail.

[PECMS] Gutmann, P., "Password-based Encryption for CMS", RFC 3211, December 2001.

[PECMS]Gutmann,P.,“基于密码的CMS加密”,RFC 321112001年12月。

Author's Address

作者地址

Kenneth Raeburn Massachusetts Institute of Technology 77 Massachusetts Avenue Cambridge, MA 02139

肯尼斯·雷伯恩麻省理工学院马萨诸塞大道77号马萨诸塞州剑桥,邮编02139

   EMail: raeburn@mit.edu
        
   EMail: raeburn@mit.edu
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the IETF's procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关IETF文件中权利的IETF程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。