Internet Engineering Task Force (IETF) K. Moriarty, Ed. Request for Comments: 8018 Dell EMC Obsoletes: 2898 B. Kaliski Category: Informational Verisign ISSN: 2070-1721 A. Rusch RSA January 2017
Internet Engineering Task Force (IETF) K. Moriarty, Ed. Request for Comments: 8018 Dell EMC Obsoletes: 2898 B. Kaliski Category: Informational Verisign ISSN: 2070-1721 A. Rusch RSA January 2017
PKCS #5: Password-Based Cryptography Specification Version 2.1
PKCS#5:基于密码的加密规范版本2.1
Abstract
摘要
This document provides recommendations for the implementation of password-based cryptography, covering key derivation functions, encryption schemes, message authentication schemes, and ASN.1 syntax identifying the techniques.
本文档为基于密码的加密技术的实现提供了建议,包括密钥派生函数、加密方案、消息身份验证方案和识别技术的ASN.1语法。
This document represents a republication of PKCS #5 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.
本文档是RSA实验室公钥加密标准(PKCS)系列中PKCS#5 v2.1的再版。通过发布此RFC,变更控制权转移到IETF。
This document also obsoletes RFC 2898.
本文件还废除了RFC 2898。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8018.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8018.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Salt and Iteration Count . . . . . . . . . . . . . . . . . . 7 4.1. Salt . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Iteration Count . . . . . . . . . . . . . . . . . . . . . 9 5. Key Derivation Functions . . . . . . . . . . . . . . . . . . 9 5.1. PBKDF1 . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.2. PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Encryption Schemes . . . . . . . . . . . . . . . . . . . . . 13 6.1. PBES1 . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.1.1. PBES1 Encryption Operation . . . . . . . . . . . . . 13 6.1.2. PBES1 Decryption Operation . . . . . . . . . . . . . 15 6.2. PBES2 . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.2.1. PBES2 Encryption Operation . . . . . . . . . . . . . 16 6.2.2. PBES2 Decryption Operation . . . . . . . . . . . . . 16 7. Message Authentication Schemes . . . . . . . . . . . . . . . 17 7.1. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . . . 17 7.1.1. PBMAC1 Generation Operation . . . . . . . . . . . . . 17 7.1.2. PBMAC1 Verification Operation . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 9. Normative References . . . . . . . . . . . . . . . . . . . . 19 Appendix A. ASN.1 Syntax . . . . . . . . . . . . . . . . . . . . 23 A.1. PBKDF1 . . . . . . . . . . . . . . . . . . . . . . . . . 23 A.2. PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . 23 A.3. PBES1 . . . . . . . . . . . . . . . . . . . . . . . . . . 25 A.4. PBES2 . . . . . . . . . . . . . . . . . . . . . . . . . . 26 A.5. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . . . 26 Appendix B. Supporting Techniques . . . . . . . . . . . . . . . 27 B.1. Pseudorandom Functions . . . . . . . . . . . . . . . . . 28 B.1.1. HMAC-SHA-1 . . . . . . . . . . . . . . . . . . . . . 28 B.1.2. HMAC-SHA-2 . . . . . . . . . . . . . . . . . . . . . 29 B.2. Encryption Schemes . . . . . . . . . . . . . . . . . . . 29 B.2.1. DES-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 30 B.2.2. DES-EDE3-CBC-Pad . . . . . . . . . . . . . . . . . . 30 B.2.3. RC2-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 30 B.2.4. RC5-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 31 B.2.5. AES-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 32 B.3. Message Authentication Schemes . . . . . . . . . . . . . 33 B.3.1. HMAC-SHA-1 . . . . . . . . . . . . . . . . . . . . . 33 B.3.2. HMAC-SHA-2 . . . . . . . . . . . . . . . . . . . . . 33 Appendix C. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 34 Appendix D. Revision History of PKCS #5 . . . . . . . . . . . . 38 Appendix E. About PKCS . . . . . . . . . . . . . . . . . . . . . 39 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Salt and Iteration Count . . . . . . . . . . . . . . . . . . 7 4.1. Salt . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Iteration Count . . . . . . . . . . . . . . . . . . . . . 9 5. Key Derivation Functions . . . . . . . . . . . . . . . . . . 9 5.1. PBKDF1 . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.2. PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . 11 6. Encryption Schemes . . . . . . . . . . . . . . . . . . . . . 13 6.1. PBES1 . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6.1.1. PBES1 Encryption Operation . . . . . . . . . . . . . 13 6.1.2. PBES1 Decryption Operation . . . . . . . . . . . . . 15 6.2. PBES2 . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.2.1. PBES2 Encryption Operation . . . . . . . . . . . . . 16 6.2.2. PBES2 Decryption Operation . . . . . . . . . . . . . 16 7. Message Authentication Schemes . . . . . . . . . . . . . . . 17 7.1. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . . . 17 7.1.1. PBMAC1 Generation Operation . . . . . . . . . . . . . 17 7.1.2. PBMAC1 Verification Operation . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 9. Normative References . . . . . . . . . . . . . . . . . . . . 19 Appendix A. ASN.1 Syntax . . . . . . . . . . . . . . . . . . . . 23 A.1. PBKDF1 . . . . . . . . . . . . . . . . . . . . . . . . . 23 A.2. PBKDF2 . . . . . . . . . . . . . . . . . . . . . . . . . 23 A.3. PBES1 . . . . . . . . . . . . . . . . . . . . . . . . . . 25 A.4. PBES2 . . . . . . . . . . . . . . . . . . . . . . . . . . 26 A.5. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . . . 26 Appendix B. Supporting Techniques . . . . . . . . . . . . . . . 27 B.1. Pseudorandom Functions . . . . . . . . . . . . . . . . . 28 B.1.1. HMAC-SHA-1 . . . . . . . . . . . . . . . . . . . . . 28 B.1.2. HMAC-SHA-2 . . . . . . . . . . . . . . . . . . . . . 29 B.2. Encryption Schemes . . . . . . . . . . . . . . . . . . . 29 B.2.1. DES-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 30 B.2.2. DES-EDE3-CBC-Pad . . . . . . . . . . . . . . . . . . 30 B.2.3. RC2-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 30 B.2.4. RC5-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 31 B.2.5. AES-CBC-Pad . . . . . . . . . . . . . . . . . . . . . 32 B.3. Message Authentication Schemes . . . . . . . . . . . . . 33 B.3.1. HMAC-SHA-1 . . . . . . . . . . . . . . . . . . . . . 33 B.3.2. HMAC-SHA-2 . . . . . . . . . . . . . . . . . . . . . 33 Appendix C. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 34 Appendix D. Revision History of PKCS #5 . . . . . . . . . . . . 38 Appendix E. About PKCS . . . . . . . . . . . . . . . . . . . . . 39 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40
This document provides recommendations for the implementation of password-based cryptography, covering the following aspects:
本文件提供了实施基于密码的加密的建议,包括以下方面:
- key derivation functions - encryption schemes - message authentication schemes - ASN.1 syntax identifying the techniques
- 密钥派生函数.加密方案.消息认证方案.识别技术的ASN.1语法
The recommendations are intended for general application within computer and communications systems and, as such, include a fair amount of flexibility. They are particularly intended for the protection of sensitive information such as private keys as in PKCS #8 [PKCS8] [RFC5958]. It is expected that application standards and implementation profiles based on these specifications may include additional constraints.
这些建议适用于计算机和通信系统中的一般应用,因此具有相当大的灵活性。它们特别用于保护敏感信息,如PKCS#8[PKCS8][RFC5958]中的私钥。预计基于这些规范的应用标准和实现概要可能包括附加约束。
Other cryptographic techniques based on passwords, such as password-based key entity authentication and key establishment protocols [BELLOV] [JABLON] [WU] are outside the scope of this document. Guidelines for the selection of passwords are also outside the scope. This document supersedes PKCS #5 version 2.0 [RFC2898] but includes compatible techniques.
其他基于密码的加密技术,如基于密码的密钥实体认证和密钥建立协议[BELLOV][JABLON][WU],不在本文件的范围内。选择密码的指南也不在范围之内。本文件取代PKCS#5 2.0版[RFC2898],但包含兼容技术。
This document represents a republication of PKCS #5 v2.1 [PKCS5_21] from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series.
本文档是RSA实验室公钥加密标准(PKCS)系列中PKCS#5 v2.1[PKCS5_21]的再版。
C ciphertext, an octet string
C密文,一个八位字符串
c iteration count, a positive integer
c迭代计数,一个正整数
DK derived key, an octet string
DK派生键,八位字节字符串
dkLen length in octets of derived key, a positive integer
dkLen派生密钥的八位字节长度,一个正整数
EM encoded message, an octet string
EM编码消息,八位字节字符串
Hash underlying hash function
哈希底层哈希函数
hLen length in octets of pseudorandom function output, a positive integer
hLen长度以八位字节为单位的伪随机函数输出,为正整数
l length in blocks of derived key, a positive integer
l派生密钥块的长度,正整数
IV initialization vector, an octet string
IV初始化向量,八位字节字符串
K encryption key, an octet string
K加密密钥,八位字节字符串
KDF key derivation function
KDF密钥派生函数
M message, an octet string
M消息,八位字节字符串
P password, an octet string
P密码,一个八位字节字符串
PRF underlying pseudorandom function
伪随机函数
PS padding string, an octet string
PS填充字符串,八位字节字符串
psLen length in octets of padding string, a positive integer
psLen填充字符串的八位字节长度,一个正整数
S salt, an octet string
S salt,一个八进制字符串
T message authentication code, an octet string
T消息身份验证码,八位字节字符串
T_1, ..., T_l, U_1, ..., U_c intermediate values, octet strings
T_1,…,T_l,U_1,…,U_c中间值,八位字符串
01, 02, ..., 08 octets with value 1, 2, ..., 8
01,02,…,08八位字节,值为1,2,…,8
\xor bit-wise exclusive-or of two octet strings
\两个八位字符串的异或按位异或
|| || octet length operator
|| || octet length operator
|| concatenation operator
||串联运算符
<i..j> substring extraction operator: extracts octets i through j, 0 <= i <= j
<i..j> substring extraction operator: extracts octets i through j, 0 <= i <= j
In many applications of public-key cryptography, user security is ultimately dependent on one or more secret text values or passwords. Since a password is not directly applicable as a key to any conventional cryptosystem, however, some processing of the password is required to perform cryptographic operations with it. Moreover, as passwords are often chosen from a relatively small space, special care is required in that processing to defend against search attacks.
在公钥密码的许多应用中,用户安全最终取决于一个或多个密文值或密码。然而,由于密码不能直接用作任何传统密码系统的密钥,因此需要对密码进行一些处理以对其执行加密操作。此外,由于密码通常是从相对较小的空间中选择的,因此在处理过程中需要特别小心,以防搜索攻击。
A general approach to password-based cryptography, as described by Morris and Thompson [MORRIS] for the protection of password tables, is to combine a password with a salt to produce a key. The salt can
Morris和Thompson[Morris]为保护密码表而描述的基于密码的加密的一般方法是将密码与salt结合起来生成密钥。盐罐
be viewed as an index into a large set of keys derived from the password and need not be kept secret. Although it may be possible for an opponent to construct a table of possible passwords (a so-called "dictionary attack"), constructing a table of possible keys will be difficult, since there will be many possible keys for each password. An opponent will thus be limited to searching through passwords separately for each salt.
可以将其视为从密码派生的一大组密钥的索引,而无需保密。尽管对手可能会构造一个可能的密码表(所谓的“字典攻击”),但构造一个可能的密钥表将是困难的,因为每个密码都有许多可能的密钥。因此,对手只能分别搜索每种盐的密码。
Another approach to password-based cryptography is to construct key derivation techniques that are relatively expensive, thereby increasing the cost of exhaustive search. One way to do this is to include an iteration count in the key derivation technique, indicating how many times to iterate some underlying function by which keys are derived. A modest number of iterations (say, 1000) is not likely to be a burden for legitimate parties when computing a key, but will be a significant burden for opponents.
另一种基于密码的加密方法是构造相对昂贵的密钥派生技术,从而增加穷举搜索的成本。实现这一点的一种方法是在键派生技术中包含一个迭代计数,指示迭代某个派生键的底层函数的次数。在计算密钥时,适度的迭代次数(比如1000次)不太可能成为合法方的负担,但会成为对手的重大负担。
Salt and iteration count formed the basis for password-based encryption in PKCS #5 v2.0, and are adopted here as well for the various cryptographic operations. Thus, password-based key derivation as defined here is a function of a password, a salt, and an iteration count, where the latter two quantities need not be kept secret.
Salt和迭代计数构成了PKCS#5 v2.0中基于密码的加密的基础,在这里也用于各种加密操作。因此,这里定义的基于密码的密钥派生是密码、salt和迭代计数的函数,其中后两个量不需要保密。
From a password-based key derivation function, it is straightforward to define password-based encryption and message authentication schemes. As in PKCS #5 v2.0, the password-based encryption schemes here are based on an underlying, conventional encryption scheme, where the key for the conventional scheme is derived from the password. Similarly, the password-based message authentication scheme is based on an underlying conventional scheme. This two-layered approach makes the password-based techniques modular in terms of the underlying techniques they can be based on.
通过基于密码的密钥派生函数,可以直接定义基于密码的加密和消息身份验证方案。与PKCS#5 v2.0一样,此处基于密码的加密方案基于底层的常规加密方案,其中常规方案的密钥来自密码。类似地,基于口令的消息认证方案基于底层传统方案。这种两层的方法使得基于密码的技术在它们可以基于的底层技术方面模块化。
It is expected that the password-based key derivation functions may find other applications than just the encryption and message authentication schemes defined here. For instance, one might derive a set of keys with a single application of a key derivation function, rather than derive each key with a separate application of the function. The keys in the set would be obtained as substrings of the output of the key derivation function. This approach might be employed as part of key establishment in a session-oriented protocol. Another application is password checking, where the output of the key derivation function is stored (along with the salt and iteration count) for the purposes of subsequent verification of a password.
预期基于密码的密钥派生函数可能会找到除此处定义的加密和消息身份验证方案之外的其他应用程序。例如,可以使用密钥派生函数的单个应用程序派生一组密钥,而不是使用函数的单独应用程序派生每个密钥。集合中的键将作为键派生函数输出的子串获得。这种方法可以作为面向会话协议中密钥建立的一部分。另一个应用程序是密码检查,其中存储密钥派生函数的输出(以及salt和迭代计数),以便随后验证密码。
Throughout this document, a password is considered to be an octet string of arbitrary length whose interpretation as a text string is
在本文档中,密码被视为任意长度的八位字节字符串,其作为文本字符串的解释是
unspecified. In the interest of interoperability, however, it is recommended that applications follow some common text encoding rules. ASCII and UTF-8 [RFC3629] are two possibilities. (ASCII is a subset of UTF-8.)
未指明。但是,为了实现互操作性,建议应用程序遵循一些常见的文本编码规则。ASCII和UTF-8[RFC3629]是两种可能性。(ASCII是UTF-8的子集。)
Although the selection of passwords is outside the scope of this document, guidelines have been published [NISTSP63] that may well be taken into account.
虽然密码的选择不在本文件的范围内,但已经发布了一些准则[NISTSP63],这些准则可能会得到考虑。
Inasmuch as salt and iteration count are central to the techniques defined in this document, some further discussion is warranted.
由于salt和迭代计数是本文中定义的技术的核心,因此有必要进行进一步的讨论。
A salt in password-based cryptography has traditionally served the purpose of producing a large set of keys corresponding to a given password, one of which is selected at random according to the salt. An individual key in the set is selected by applying a key derivation function KDF, as
基于密码的加密中的salt传统上用于产生与给定密码相对应的大量密钥集,其中一个密钥根据salt随机选择。通过应用密钥派生函数KDF选择集合中的单个密钥,如下所示:
DK = KDF (P, S)
DK=KDF(P,S)
where DK is the derived key, P is the password, and S is the salt. This has two benefits:
其中DK是派生密钥,P是密码,S是salt。这有两个好处:
1. It is difficult for an opponent to precompute all the keys, or even the most likely keys, corresponding to a dictionary of passwords. If the salt is 64 bits long, for instance, there will be as many as 2^64 keys for each password. An opponent is thus limited to searching for passwords after a password-based operation has been performed and the salt is known.
1. 对手很难预先计算与密码字典对应的所有密钥,甚至是最可能的密钥。例如,如果salt长度为64位,则每个密码将有多达2^64个密钥。因此,对手仅限于在执行基于密码的操作且已知salt后搜索密码。
2. It is unlikely that the same key will be selected twice. Again, if the salt is 64 bits long, the chance of "collision" between keys does not become significant until about 2^32 keys have been produced, according to the Birthday Paradox. The fact that collisions are unlikely addresses some concerns about interactions between multiple uses of the same key that may arise when using some encryption and authentication techniques.
2. 同一个键不太可能被选择两次。同样,根据生日悖论,如果salt长度为64位,则在生成大约2^32个键之前,键之间的“碰撞”几率不会变得显著。不太可能发生冲突的事实解决了在使用某些加密和身份验证技术时可能出现的同一密钥的多次使用之间的交互问题。
In password-based encryption, the party encrypting a message can gain assurance that these benefits are realized simply by selecting a large and sufficiently random salt when deriving an encryption key from a password. A party generating a message authentication code can gain such assurance in a similar fashion.
在基于密码的加密中,加密消息的一方可以获得这样的保证,即在从密码导出加密密钥时,只需选择一个足够大且随机的salt即可实现这些好处。生成消息认证码的一方可以以类似的方式获得这种保证。
The party decrypting a message or verifying a message authentication code, however, cannot be sure that a salt supplied by another party has actually been generated at random. It is possible, for instance, that the salt may have been copied from another password-based operation in an attempt to exploit interactions between multiple uses of the same key. For instance, suppose two legitimate parties exchange an encrypted message, where the encryption key is an 80-bit key derived from a shared password with some salt. An opponent could take the salt from that encryption and provide it to one of the parties as though it were for a 40-bit key. If the party reveals the result of decryption with the 40-bit key, the opponent may be able to solve for the 40-bit key. In the case that 40-bit key is the first half of the 80-bit key, the opponent can then readily solve for the remaining 40 bits of the 80-bit key.
然而,解密消息或验证消息身份验证码的一方无法确保另一方提供的salt实际上是随机生成的。例如,salt可能是从另一个基于密码的操作复制的,目的是利用同一密钥的多次使用之间的交互。例如,假设两个合法方交换一个加密消息,其中加密密钥是一个80位密钥,该密钥是从一个带有一些盐的共享密码中派生出来的。对手可以从加密中取出盐并将其提供给其中一方,就好像它是一个40位密钥。如果一方透露了使用40位密钥解密的结果,则对方可能能够解决40位密钥的问题。如果40位密钥是80位密钥的前半部分,则对手可以很容易地解出80位密钥的剩余40位。
To defend against such attacks, either the interaction between multiple uses of the same key should be carefully analyzed, or the salt should contain data that explicitly distinguishes between different operations. For instance, the salt might have an additional, non-random octet that specifies whether the derived key is for encryption, for message authentication, or for some other operation.
为了抵御此类攻击,要么仔细分析同一密钥的多次使用之间的交互,要么salt中应包含明确区分不同操作的数据。例如,salt可能有一个附加的非随机八位组,用于指定派生密钥是用于加密、消息身份验证还是用于其他操作。
Based on this, the following is recommended for salt selection:
基于此,建议选择以下盐:
1. If there is no concern about interactions between multiple uses of the same key (or a prefix of that key) with the password-based encryption and authentication techniques supported for a given password, then the salt may be generated at random and need not be checked for a particular format by the party receiving the salt. It should be at least eight octets (64 bits) long.
1. 如果不关心同一密钥(或该密钥的前缀)的多次使用与给定密码支持的基于密码的加密和认证技术之间的交互,则salt可以随机生成,并且无需由接收salt的一方检查特定格式。它应该至少有八个八位字节(64位)长。
2. Otherwise, the salt should contain data that explicitly distinguishes between different operations and different key lengths, in addition to a random part that is at least eight octets long, and this data should be checked or regenerated by the party receiving the salt. For instance, the salt could have an additional non-random octet that specifies the purpose of the derived key. Alternatively, it could be the encoding of a structure that specifies detailed information about the derived key, such as the encryption or authentication technique and a sequence number among the different keys derived from the password. The particular format of the additional data is left to the application.
2. 否则,salt应包含明确区分不同操作和不同密钥长度的数据,以及至少八个八位字节长的随机部分,并且该数据应由接收salt的一方检查或重新生成。例如,salt可以有一个额外的非随机八位组,用于指定派生密钥的用途。或者,它可以是指定有关派生密钥的详细信息的结构的编码,例如加密或身份验证技术以及从密码派生的不同密钥之间的序列号。附加数据的特定格式由应用程序决定。
Note: If a random number generator or pseudorandom generator is not available, a deterministic alternative for generating the salt (or the random part of it) is to apply a password-based key derivation function to the password and the message M to be processed. For instance, the salt could be computed with a key derivation function as S = KDF (P, M). This approach is not recommended if the message M is known to belong to a small message space (e.g., "Yes" or "No"), however, since then there will only be a small number of possible salts.
注:如果随机数生成器或伪随机生成器不可用,则生成salt(或其随机部分)的确定替代方案是对密码和要处理的消息M应用基于密码的密钥派生函数。例如,salt可以用一个键派生函数S=KDF(P,M)来计算。但是,如果已知消息M属于小消息空间(例如,“是”或“否”),则不建议采用这种方法,因为这样将只有少量可能的盐。
An iteration count has traditionally served the purpose of increasing the cost of producing keys from a password, thereby also increasing the difficulty of attack. Mathematically, an iteration count of c will increase the security strength of a password by log2(c) bits against trial-based attacks like brute force or dictionary attacks.
迭代计数传统上用于增加从密码生成密钥的成本,从而也增加了攻击的难度。从数学上讲,c的迭代计数将使密码的安全强度增加log2(c)位,以抵抗基于试验的攻击,如暴力或字典攻击。
Choosing a reasonable value for the iteration count depends on environment and circumstances, and varies from application to application. This document follows the recommendations made in FIPS Special Publication 800-132 [NISTSP132], which says
为迭代计数选择一个合理的值取决于环境和环境,并且因应用程序而异。本文件遵循FIPS特别出版物800-132[NISTSP132]中的建议,其中指出
The iteration count shall be selected as large as possible, as long as the time required to generate the key using the entered password is acceptable for the users. [...] A minimum iteration count of 1,000 is recommended. For especially critical keys, or for very powerful systems or systems where user-perceived performance is not critical, an iteration count of 10,000,000 may be appropriate.
只要用户可以接受使用输入的密码生成密钥所需的时间,就应选择尽可能大的迭代次数。[…]建议最小迭代次数为1000次。对于特别关键的密钥,或者对于非常强大的系统或用户感知性能不关键的系统,迭代计数10000000可能是合适的。
A key derivation function produces a derived key from a base key and other parameters. In a password-based key derivation function, the base key is a password, and the other parameters are a salt value and an iteration count, as outlined in Section 3.
密钥派生函数从基密钥和其他参数生成派生密钥。在基于密码的密钥派生函数中,基本密钥是密码,其他参数是salt值和迭代计数,如第3节所述。
The primary application of the password-based key derivation functions defined here is in the encryption schemes in Section 6 and the message authentication scheme in Section 7. Other applications are certainly possible, hence the independent definition of these functions.
此处定义的基于密码的密钥派生函数的主要应用在第6节的加密方案和第7节的消息认证方案中。其他应用当然是可能的,因此这些函数的独立定义。
Two functions are specified in this section: PBKDF1 and PBKDF2. PBKDF2 is recommended for new applications; PBKDF1 is included only for compatibility with existing applications and is not recommended for new applications.
本节中指定了两个函数:PBKDF1和PBKDF2。PBKDF2建议用于新应用;PBKDF1仅用于与现有应用程序兼容,不建议用于新应用程序。
A typical application of the key derivation functions defined here might include the following steps:
此处定义的键派生函数的典型应用可能包括以下步骤:
1. Select a salt S and an iteration count c, as outlined in Section 4.
1. 选择一个salt S和一个迭代计数c,如第4节所述。
2. Select a length in octets for the derived key, dkLen.
2. 为派生键dkLen选择以八位字节为单位的长度。
3. Apply the key derivation function to the password, the salt, the iteration count and the key length to produce a derived key.
3. 将密钥派生函数应用于密码、salt、迭代计数和密钥长度,以生成派生密钥。
4. Output the derived key.
4. 输出派生密钥。
Any number of keys may be derived from a password by varying the salt, as described in Section 3.
如第3节所述,可通过改变salt从密码中导出任意数量的密钥。
PBKDF1 applies a hash function, which shall be MD2 [RFC1319], MD5 [RFC1321], or SHA-1 [NIST180], to derive keys. The length of the derived key is bounded by the length of the hash function output, which is 16 octets for MD2 and MD5 and 20 octets for SHA-1. PBKDF1 is compatible with the key derivation process in PKCS #5 v1.5 [PKCS5_15].
PBKDF1应用一个散列函数,该散列函数应为MD2[RFC1319]、MD5[RFC1321]或SHA-1[NIST180],以派生密钥。派生密钥的长度受哈希函数输出长度的限制,MD2和MD5为16个八位字节,SHA-1为20个八位字节。PBKDF1与PKCS#5 v1.5[PKCS5#U 15]中的密钥派生过程兼容。
PBKDF1 is recommended only for compatibility with existing applications since the keys it produces may not be large enough for some applications.
PBKDF1仅建议与现有应用程序兼容,因为它生成的密钥可能对于某些应用程序来说不够大。
PBKDF1 (P, S, c, dkLen)
PBKDF1(P、S、c、dkLen)
Options: Hash underlying hash function
选项:哈希底层哈希函数
Input: P password, an octet string S salt, an octet string c iteration count, a positive integer dkLen intended length in octets of derived key, a positive integer, at most 16 for MD2 or MD5 and 20 for SHA-1 Output: DK derived key, a dkLen-octet string
输入:P密码,一个八位字符串S salt,一个八位字符串c迭代计数,一个正整数dkLen预期长度(以导出密钥的八位字节为单位),一个正整数,MD2或MD5最多16,SHA-1最多20输出:DK导出密钥,一个dkLen八位字符串
Steps:
步骤:
1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output "derived key too long" and stop.
1. 如果MD2和MD5的dkLen>16,或SHA-1的dkLen>20,则输出“派生密钥太长”并停止。
2. Apply the underlying hash function Hash for c iterations to the concatenation of the password P and the salt S, then extract the first dkLen octets to produce a derived key DK:
2. 将基础哈希函数hash for c迭代应用于密码P和salt S的串联,然后提取第一个dkLen八位组以生成派生密钥DK:
T_1 = Hash (P || S) , T_2 = Hash (T_1) , ... T_c = Hash (T_{c-1}) , DK = T_c<0..dkLen-1>
T_1 = Hash (P || S) , T_2 = Hash (T_1) , ... T_c = Hash (T_{c-1}) , DK = T_c<0..dkLen-1>
3. Output the derived key DK.
3. 输出派生密钥DK。
PBKDF2 applies a pseudorandom function (see Appendix B.1 for an example) to derive keys. The length of the derived key is essentially unbounded. (However, the maximum effective search space for the derived key may be limited by the structure of the underlying pseudorandom function. See Appendix B.1 for further discussion.) PBKDF2 is recommended for new applications.
PBKDF2应用伪随机函数(示例见附录B.1)推导密钥。派生密钥的长度基本上是无界的。(但是,派生密钥的最大有效搜索空间可能受到底层伪随机函数结构的限制。有关进一步讨论,请参阅附录B.1。)建议将PBKDF2用于新应用。
PBKDF2 (P, S, c, dkLen)
PBKDF2(P、S、c、dkLen)
Options: PRF underlying pseudorandom function (hLen denotes the length in octets of the pseudorandom function output)
选项:PRF基础伪随机函数(hLen表示伪随机函数输出的长度,以八位字节为单位)
Input: P password, an octet string S salt, an octet string c iteration count, a positive integer dkLen intended length in octets of the derived key, a positive integer, at most (2^32 - 1) * hLen
输入:P密码,一个八位字符串S salt,一个八位字符串c迭代计数,一个正整数dkLen指定长度,以导出密钥的八位字节为单位,一个正整数,最多(2^32-1)*hLen
Output: DK derived key, a dkLen-octet string
输出:DK派生键,一个dkLen八位字节字符串
Steps:
步骤:
1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop.
1. 如果dkLen>(2^32-1)*hLen,则输出“派生密钥太长”并停止。
2. Let l be the number of hLen-octet blocks in the derived key, rounding up, and let r be the number of octets in the last block:
2. 设l为导出密钥中的hLen八位组块数,向上取整,r为最后一个块中的八位组数:
l = CEIL (dkLen / hLen) r = dkLen - (l - 1) * hLen
l = CEIL (dkLen / hLen) r = dkLen - (l - 1) * hLen
Here, CEIL (x) is the "ceiling" function, i.e., the smallest integer greater than, or equal to, x.
这里,CEIL(x)是“上限”函数,即大于或等于x的最小整数。
3. For each block of the derived key apply the function F defined below to the password P, the salt S, the iteration count c, and the block index to compute the block:
3. 对于派生密钥的每个块,将下面定义的函数F应用于密码P、salt S、迭代计数c和块索引,以计算块:
T_1 = F (P, S, c, 1) , T_2 = F (P, S, c, 2) , ... T_l = F (P, S, c, l) ,
T_1=F(P,S,c,1),T_2=F(P,S,c,2)。。。T_l=F(P,S,c,l),
where the function F is defined as the exclusive-or sum of the first c iterates of the underlying pseudorandom function PRF applied to the password P and the concatenation of the salt S and the block index i:
其中,函数F被定义为应用于密码P的底层伪随机函数PRF的前c次迭代的异或和以及salt S和块索引i的串联:
F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c
F(P,S,c,i)=U_1\xor U_2\xor\xor U_c
where U_1 = PRF (P, S || INT (i)) , U_2 = PRF (P, U_1) , ... U_c = PRF (P, U_{c-1}) .
其中U|U 1=PRF(P,S | INT(i)),U|U 2=PRF(P,U|U 1)。。。U_c=PRF(P,U_{c-1})。
Here, INT (i) is a four-octet encoding of the integer i, most significant octet first.
这里,INT(i)是整数i的四个八位组编码,最重要的八位组在前。
4. Concatenate the blocks and extract the first dkLen octets to produce a derived key DK:
4. 连接块并提取第一个dkLen八位组,以生成派生密钥DK:
DK = T_1 || T_2 || ... || T_l<0..r-1>
DK = T_1 || T_2 || ... || T_l<0..r-1>
5. Output the derived key DK.
5. 输出派生密钥DK。
Note: The construction of the function F follows a "belt-and-suspenders" approach. The iterates U_i are computed recursively to remove a degree of parallelism from an opponent; they are exclusive-ored together to reduce concerns about the recursion degenerating into a small set of values.
注:功能F的构造遵循“皮带和吊杆”方法。迭代U_i递归计算,以消除对手的并行度;它们是异或的,以减少递归退化为一小部分值的担忧。
An encryption scheme, in the symmetric setting, consists of an encryption operation and a decryption operation, where the encryption operation produces a ciphertext from a message under a key, and the decryption operation recovers the message from the ciphertext under the same key. In a password-based encryption scheme, the key is a password.
对称设置下的加密方案包括加密操作和解密操作,其中加密操作从密钥下的消息生成密文,解密操作从相同密钥下的密文恢复消息。在基于密码的加密方案中,密钥是密码。
A typical application of a password-based encryption scheme is a private-key protection method, where the message contains private-key information, as in PKCS #8. The encryption schemes defined here would be suitable encryption algorithms in that context.
基于密码的加密方案的典型应用是私钥保护方法,其中消息包含私钥信息,如PKCS#8。这里定义的加密方案将是该上下文中合适的加密算法。
Two schemes are specified in this section: PBES1 and PBES2. PBES2 is recommended for new applications; PBES1 is included only for compatibility with existing applications and is not recommended for new applications.
本节规定了两种方案:PBES1和PBES2。PBES2建议用于新的应用;PBES1仅用于与现有应用程序兼容,不建议用于新应用程序。
PBES1 combines the PBKDF1 function (Section 5.1) with an underlying block cipher, which shall be either DES [NIST46] or RC2 [RFC2268] in cipher block chaining (CBC) mode [NIST81]. PBES1 is compatible with the encryption scheme in PKCS #5 v1.5 [PKCS5_15].
PBES1将PBKDF1功能(第5.1节)与基础分组密码相结合,其应为密码分组链(CBC)模式[NIST81]中的DES[NIST46]或RC2[RFC2268]。PBES1与PKCS#5 v1.5[PKCS5#U 15]中的加密方案兼容。
PBES1 is recommended only for compatibility with existing applications, since it supports only two underlying encryption schemes, each of which has a key size (56 or 64 bits) that may not be large enough for some applications.
PBES1仅建议与现有应用程序兼容,因为它只支持两个底层加密方案,每个方案的密钥大小(56或64位)可能不足以满足某些应用程序的需要。
The encryption operation for PBES1 consists of the following steps, which encrypt a message M under a password P to produce a ciphertext C:
PBES1的加密操作包括以下步骤,这些步骤在密码P下加密消息M以生成密文C:
1. Select an eight-octet salt S and an iteration count c, as outlined in Section 4.
1. 如第4节所述,选择一个8个八位组的salt S和一个迭代计数c。
2. Apply the PBKDF1 key derivation function (Section 5.1) to the password P, the salt S, and the iteration count c to produce a derived key DK of length 16 octets:
2. 将PBKDF1密钥派生函数(第5.1节)应用于密码P、salt S和迭代计数c,以生成长度为16个八位字节的派生密钥DK:
DK = PBKDF1 (P, S, c, 16)
DK=PBKDF1(P,S,c,16)
3. Separate the derived key DK into an encryption key K consisting of the first eight octets of DK and an initialization vector IV consisting of the next eight octets:
3. 将导出密钥DK分离为加密密钥K,该密钥由DK的前八个八位字节组成,初始化向量IV由下八个八位字节组成:
K = DK<0..7> IV = DK<8..15>
K = DK<0..7> IV = DK<8..15>
4. Concatenate M and a padding string PS to form an encoded message EM:
4. 连接M和填充字符串PS以形成编码消息EM:
EM = M || PS
EM=M | | PS
where the padding string PS consists of 8-(||M|| mod 8) octets each with value 8-(||M|| mod 8). The padding string PS will satisfy one of the following statements:
其中填充字符串PS由8-(| M | mod 8)个八位字节组成,每个八位字节的值为8-(| M | mod 8)。填充字符串PS将满足以下语句之一:
PS = 01, if ||M|| mod 8 = 7 ; PS = 02 02, if ||M|| mod 8 = 6 ; ... PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.
PS = 01, if ||M|| mod 8 = 7 ; PS = 02 02, if ||M|| mod 8 = 6 ; ... PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.
The length in octets of the encoded message will be a multiple of eight, and it will be possible to recover the message M unambiguously from the encoded message. (This padding rule is taken from RFC 1423 [RFC1423].)
编码消息的长度(以八位字节为单位)将是8的倍数,并且可以从编码消息中毫不含糊地恢复消息M。(此填充规则取自RFC 1423[RFC1423]。)
5. Encrypt the encoded message EM with the underlying block cipher (DES or RC2) in CBC mode under the encryption key K with initialization vector IV to produce the ciphertext C. For DES, the key K shall be considered as a 64-bit encoding of a 56-bit DES key with parity bits ignored (see [NIST46]). For RC2, the "effective key bits" shall be 64 bits.
5. 在加密密钥K和初始化向量IV下,在CBC模式下使用基础分组密码(DES或RC2)对编码消息EM进行加密,以生成密文C。对于DES,密钥K应被视为56位DES密钥的64位编码,奇偶校验位被忽略(见[NIST46])。对于RC2,“有效密钥位”应为64位。
6. Output the ciphertext C.
6. 输出密文C。
The salt S and the iteration count c may be conveyed to the party performing decryption in an AlgorithmIdentifier value (see Appendix A.3).
salt S和迭代计数c可以以算法标识符值传送给执行解密的一方(见附录A.3)。
The decryption operation for PBES1 consists of the following steps, which decrypt a ciphertext C under a password P to recover a message M:
PBES1的解密操作包括以下步骤,这些步骤解密密码P下的密文C以恢复消息M:
1. Obtain the eight-octet salt S and the iteration count c.
1. 获得八个八重态盐S和迭代计数c。
2. Apply the PBKDF1 key derivation function (Section 5.1) to the password P, the salt S, and the iteration count c to produce a derived key DK of length 16 octets:
2. 将PBKDF1密钥派生函数(第5.1节)应用于密码P、salt S和迭代计数c,以生成长度为16个八位字节的派生密钥DK:
DK = PBKDF1 (P, S, c, 16)
DK=PBKDF1(P,S,c,16)
3. Separate the derived key DK into an encryption key K consisting of the first eight octets of DK and an initialization vector IV consisting of the next eight octets:
3. 将导出密钥DK分离为加密密钥K,该密钥由DK的前八个八位字节组成,初始化向量IV由下八个八位字节组成:
K = DK<0..7> IV = DK<8..15>
K = DK<0..7> IV = DK<8..15>
4. Decrypt the ciphertext C with the underlying block cipher (DES or RC2) in CBC mode under the encryption key K with initialization vector IV to recover an encoded message EM. If the length in octets of the ciphertext C is not a multiple of eight, output "decryption error" and stop.
4. 在加密密钥K和初始化向量IV下,在CBC模式下使用基础分组密码(DES或RC2)解密密文C,以恢复编码消息EM。如果密文C的八位字节长度不是8的倍数,则输出“解密错误”并停止。
5. Separate the encoded message EM into a message M and a padding string PS:
5. 将编码后的消息EM分离为消息M和填充字符串PS:
EM = M || PS
EM=M | | PS
where the padding string PS consists of some number psLen octets each with value psLen, where psLen is between 1 and 8. If it is not possible to separate the encoded message EM in this manner, output "decryption error" and stop.
其中,填充字符串PS由若干个psLen八位组组成,每个八位组的值为psLen,其中psLen介于1和8之间。如果无法以这种方式分离编码消息EM,则输出“解密错误”并停止。
6. Output the recovered message M.
6. 输出恢复的消息M。
PBES2 combines a password-based key derivation function, which shall be PBKDF2 (Section 5.2) for this version of PKCS #5, with an underlying encryption scheme (see Appendix B.2 for examples). The key length and any other parameters for the underlying encryption scheme depend on the scheme.
PBES2结合了一个基于密码的密钥派生函数,对于本版本的PKCS#5,该函数应为PBKDF2(第5.2节),并带有一个底层加密方案(示例见附录B.2)。基础加密方案的密钥长度和任何其他参数取决于该方案。
PBES2 is recommended for new applications.
建议将PBES2用于新应用。
The encryption operation for PBES2 consists of the following steps, which encrypt a message M under a password P to produce a ciphertext C, applying a selected key derivation function KDF and a selected underlying encryption scheme:
PBES2的加密操作包括以下步骤,应用选定的密钥派生函数KDF和选定的基础加密方案,在密码P下加密消息M以生成密文C:
1. Select a salt S and an iteration count c, as outlined in Section 4.
1. 选择一个salt S和一个迭代计数c,如第4节所述。
2. Select the length in octets, dkLen, for the derived key for the underlying encryption scheme.
2. 为基础加密方案的派生密钥选择长度(以八位字节为单位,dkLen)。
3. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
3. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen)
DK=KDF(P,S,c,dkLen)
4. Encrypt the message M with the underlying encryption scheme under the derived key DK to produce a ciphertext C. (This step may involve selection of parameters such as an initialization vector and padding, depending on the underlying scheme.)
4. 使用派生密钥DK下的基础加密方案对消息M进行加密,以生成密文C(该步骤可能涉及选择参数,例如初始化向量和填充,具体取决于基础方案)
5. Output the ciphertext C.
5. 输出密文C。
The salt S, the iteration count c, the key length dkLen, and identifiers for the key derivation function and the underlying encryption scheme may be conveyed to the party performing decryption in an AlgorithmIdentifier value (see Appendix A.4).
salt S、迭代计数c、密钥长度dkLen以及密钥派生函数和基础加密方案的标识符可以以算法标识符值传送给执行解密的一方(参见附录A.4)。
The decryption operation for PBES2 consists of the following steps, which decrypt a ciphertext C under a password P to recover a message M:
PBES2的解密操作包括以下步骤,这些步骤解密密码P下的密文C以恢复消息M:
1. Obtain the salt S for the operation.
1. 获取操作所需的盐。
2. Obtain the iteration count c for the key derivation function.
2. 获取键派生函数的迭代计数c。
3. Obtain the key length in octets, dkLen, for the derived key for the underlying encryption scheme.
3. 获取基础加密方案的派生密钥的密钥长度(以八位字节为单位,dkLen)。
4. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
4. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen)
DK=KDF(P,S,c,dkLen)
5. Decrypt the ciphertext C with the underlying encryption scheme under the derived key DK to recover a message M. If the decryption function outputs "decryption error", then output "decryption error" and stop.
5. 使用派生密钥DK下的基础加密方案解密密文C以恢复消息M。如果解密函数输出“解密错误”,则输出“解密错误”并停止。
6. Output the recovered message M.
6. 输出恢复的消息M。
A message authentication scheme consists of a MAC (Message Authentication Code) generation operation and a MAC verification operation, where the MAC generation operation produces a MAC from a message under a key, and the MAC verification operation verifies the message authentication code under the same key. In a password-based message authentication scheme, the key is a password.
消息认证方案包括MAC(消息认证码)生成操作和MAC验证操作,其中MAC生成操作从密钥下的消息生成MAC,MAC验证操作验证相同密钥下的消息认证码。在基于密码的消息身份验证方案中,密钥是密码。
One scheme is specified in this section: PBMAC1.
本节规定了一个方案:PBMAC1。
PBMAC1 combines a password-based key derivation function, which shall be PBKDF2 (Section 5.2) for this version of PKCS #5, with an underlying message authentication scheme (see Appendix B.3 for an example). The key length and any other parameters for the underlying message authentication scheme depend on the scheme.
PBMAC1结合了一个基于密码的密钥派生函数,该函数应为PBKDF2(第5.2节),适用于此版本的PKCS#5,并带有一个底层消息身份验证方案(示例见附录B.3)。基础消息身份验证方案的密钥长度和任何其他参数取决于该方案。
The MAC generation operation for PBMAC1 consists of the following steps, which process a message M under a password P to generate a message authentication code T, applying a selected key derivation function KDF and a selected underlying message authentication scheme:
PBMAC1的MAC生成操作包括以下步骤,这些步骤在密码P下处理消息M以生成消息认证码T,应用选择的密钥派生函数KDF和选择的底层消息认证方案:
1. Select a salt S and an iteration count c, as outlined in Section 4.
1. 选择一个salt S和一个迭代计数c,如第4节所述。
2. Select a key length in octets, dkLen, for the derived key for the underlying message authentication function.
2. 为基础消息身份验证函数的派生密钥选择一个密钥长度(以八位字节为单位,dkLen)。
3. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
3. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen)
DK=KDF(P,S,c,dkLen)
4. Process the message M with the underlying message authentication scheme under the derived key DK to generate a message authentication code T.
4. 使用派生密钥DK下的底层消息认证方案处理消息M,以生成消息认证码T。
5. Output the message authentication code T.
5. 输出消息身份验证代码T。
The salt S, the iteration count c, the key length dkLen, and identifiers for the key derivation function and underlying message authentication scheme may be conveyed to the party performing verification in an AlgorithmIdentifier value (see Appendix A.5).
salt S、迭代计数c、密钥长度dkLen以及密钥派生函数和底层消息认证方案的标识符可以用算法标识符值传递给执行验证的一方(见附录A.5)。
The MAC verification operation for PBMAC1 consists of the following steps, which process a message M under a password P to verify a message authentication code T:
PBMAC1的MAC验证操作包括以下步骤,这些步骤在密码P下处理消息M以验证消息认证码T:
1. Obtain the salt S and the iteration count c.
1. 获得盐S和迭代计数c。
2. Obtain the key length in octets, dkLen, for the derived key for the underlying message authentication scheme.
2. 获取基础消息身份验证方案的派生密钥的密钥长度(以八位字节为单位,dkLen)。
3. Apply the selected key derivation function to the password P, the salt S, and the iteration count c to produce a derived key DK of length dkLen octets:
3. 将所选密钥派生函数应用于密码P、salt S和迭代计数c,以生成长度为dkLen八位字节的派生密钥DK:
DK = KDF (P, S, c, dkLen)
DK=KDF(P,S,c,dkLen)
4. Process the message M with the underlying message authentication scheme under the derived key DK to verify the message authentication code T.
4. 使用派生密钥DK下的底层消息认证方案处理消息M,以验证消息认证码T。
5. If the message authentication code verifies, output "correct"; else output "incorrect".
5. 如果消息验证码验证,则输出“正确”;否则输出“不正确”。
Password-based cryptography is generally limited in the security that it can provide, particularly for methods such as those defined in this document where offline password search is possible. While the use of salt and iteration count can increase the complexity of attack (see Section 4 for recommendations), it is essential that passwords
基于密码的加密技术通常在其可提供的安全性方面受到限制,特别是对于本文档中定义的方法,其中可以进行脱机密码搜索。虽然使用salt和迭代计数会增加攻击的复杂性(有关建议,请参见第4节),但密码的使用至关重要
are selected well, and relevant guidelines (e.g., [NISTSP63]) should be taken into account. It is also important that passwords be protected well if stored.
选择正确,应考虑相关指南(例如[NISTSP63])。同样重要的是,如果存储了密码,则应妥善保护密码。
In general, different keys should be derived from a password for different uses to minimize the possibility of unintended interactions. For password-based encryption with a single algorithm, a random salt is sufficient to ensure that different keys will be produced. In certain other situations, as outlined in Section 4, a structured salt is necessary. The recommendations in Section 4 should thus be taken into account when selecting the salt value.
一般来说,不同的密钥应该从不同用途的密码中派生,以最大限度地减少意外交互的可能性。对于使用单一算法的基于密码的加密,随机salt足以确保生成不同的密钥。在某些其他情况下,如第4节所述,有必要使用结构化盐。因此,在选择盐值时,应考虑第4节中的建议。
For information on security considerations for MD2 [RFC1319], see [RFC6149]; for MD5 [RFC1321], see [RFC6151]; and for SHA-1 [NIST180], see [RFC6194].
有关MD2[RFC1319]的安全注意事项的信息,请参阅[RFC6149];MD5[RFC1321]见[RFC6151];SHA-1[NIST180]见[RFC6194]。
[ANSIX952] ANSI, "Triple Data Encryption Algorithm Modes of Operation", Accredited Standards Committee X9, X9.52-1998, July 1998.
[ANSIX952]ANSI,“三重数据加密算法操作模式”,认证标准委员会X9,X9.52-1998,1998年7月。
[BELLOV] Bellovin, S. and M. Merritt, "Encrypted Key Exchange: Password-based Protocols Secure against Dictionary Attacks", Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 72-84, IEEE Computer Society, DOI 10.1109/RISP.1992.213269, 1992.
[BELLOV]Bellovin,S.和M.Merritt,“加密密钥交换:基于密码的协议防止字典攻击”,IEEE安全和隐私研究研讨会论文集,第72-84页,IEEE计算机学会,DOI 10.1109/RISP.1992.213269292。
[COCHRAN] Cochran, M., "Notes on the Wang et al. 2^63 SHA-1 Differential Path", Cryptology ePrint Archive: Report 2007/474, August 2008, <http://eprint.iacr.org/2007/474>.
[COCHRAN]COCHRAN,M.,“关于Wang等人2^63 SHA-1微分路径的注释”,密码学EPRIT档案:报告2007/4742008年8月<http://eprint.iacr.org/2007/474>.
[ISO8824-1] International Organization for Standardization, "Information technology - Abstract Syntax Notation One (ASN.1) - Specification of basic notation", ISO/IEC 8824-1:2008, 2008.
[ISO8824-1]国际标准化组织,“信息技术-抽象语法符号一(ASN.1)-基本符号规范”,ISO/IEC 8824-1:2008,2008。
[ISO8824-2] International Organization for Standardization, "Information technology - Abstract Syntax Notation One (ASN.1) - Information object specification", ISO/IEC 8824-2:2008, 2008.
[ISO8824-2]国际标准化组织,“信息技术-抽象语法符号1(ASN.1)-信息对象规范”,ISO/IEC 8824-2:2008,2008年。
[ISO8824-3] International Organization for Standardization, "Information technology - Abstract Syntax Notation One (ASN.1) - Constraint specification", ISO/IEC 8824-3:2008, 2008.
[ISO8824-3]国际标准化组织,“信息技术-抽象语法符号1(ASN.1)-约束规范”,ISO/IEC 8824-3:2008,2008。
[ISO8824-4] International Organization for Standardization, "Information technology - Abstract Syntax Notation One (ASN.1) - Parameterization of ASN.1 specifications", ISO/IEC 8824-4:2008, 2008.
[ISO8824-4]国际标准化组织,“信息技术-抽象语法符号1(ASN.1)-ASN.1规范的参数化”,ISO/IEC 8824-4:2008,2008年。
[JABLON] Jablon, D., "Strong Password-Only Authenticated Key Exchange", ACM SIGCOMM Computer Communication Review, Volume 26, Issue 5, DOI 10.1145/242896.242897, October 1996.
[JABLON]JABLON,D.,“仅强密码认证密钥交换”,ACM SIGCOMM计算机通信评论,第26卷,第5期,DOI 10.1145/242896.242897,1996年10月。
[MORRIS] Morris, R. and K. Thompson, "Password security: A case history", Communications of the ACM, Vol. 22, Issue 11, pages 594-597, DOI 10.1145/359168.359172, November 1979.
[MORRIS]MORRIS,R.和K.Thompson,“密码安全:案例历史”,ACM通讯,第22卷,第11期,第594-597页,DOI 10.1145/359168.3591721979年11月。
[NIST46] National Institute of Standards and Technology (NIST), "Data Encryption Standard", FIPS PUB 46-3, October 1999.
[NIST46]国家标准与技术研究所(NIST),“数据加密标准”,FIPS PUB 46-3,1999年10月。
[NIST81] National Institute of Standards and Technology (NIST), "DES Modes of Operation", FIPS PUB 81, December 2, 1980.
[NIST81]国家标准与技术研究所(NIST),“DES运行模式”,FIPS PUB 81,1980年12月2日。
[NIST180] National Institute of Standards and Technology, "Secure Hash Standard (SHS)", FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4, August 2015.
[NIST180]国家标准与技术研究所,“安全哈希标准(SHS)”,FIPS PUB 180-4,DOI 10.6028/NIST.FIPS.180-42015年8月。
[NIST197] National Institute of Standards and Technology (NIST), "Advance Encryption Standard (AES)", FIPS PUB 197, November 2001.
[NIST197]国家标准与技术研究所(NIST),“高级加密标准(AES)”,FIPS PUB 197,2001年11月。
[NIST198] National Institute of Standards and Technology (NIST), "The Keyed - Hash Message Authentication Code (HMAC)", FIPS PUB 198-1, July 2008.
[NIST198]国家标准与技术研究所(NIST),“密钥-散列消息认证码(HMAC)”,FIPS PUB 198-12008年7月。
[NISTSP63] National Institute of Standards and Technology (NIST), "Electronic Authentication Guideline", NIST Special Publication 800-63-2, DOI 10.6028/NIST.SP.800-63-2, August 2013.
[NISTSP63]国家标准与技术研究所(NIST),“电子认证指南”,NIST特别出版物800-63-2,DOI 10.6028/NIST.SP.800-63-2,2013年8月。
[NISTSP132] National Institute of Standards and Technology (NIST), "Recommendation for Password-Based Key Derivation, Part 1: Storage Applications", NIST Special Publication 800-132, DOI 10.6028/NIST.SP.800-132, December 2010.
[NISTSP132]国家标准与技术研究所(NIST),“基于密码的密钥推导建议,第1部分:存储应用”,NIST特别出版物800-132,DOI 10.6028/NIST.SP.800-132,2010年12月。
[PKCS5_15] RSA Laboratories, "PKCS #5: Password-Based Encryption Standard Version 1.5", November 1993.
[PKCS5_15]RSA实验室,“PKCS#5:基于密码的加密标准版本1.5”,1993年11月。
[PKCS5_21] RSA Laboratories, "PKCS #5: Password-Based Encryption Standard Version 2.1", October 2012.
[PKCS5_21]RSA实验室,“PKCS#5:基于密码的加密标准版本2.1”,2012年10月。
[PKCS8] Kaliski, B., "Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2", RFC 5208, DOI 10.17487/RFC5208, May 2008, <http://www.rfc-editor.org/info/rfc5208>.
[PKCS8]Kaliski,B.,“公钥密码标准(PKCS)#8:私钥信息语法规范版本1.2”,RFC 5208,DOI 10.17487/RFC5208,2008年5月<http://www.rfc-editor.org/info/rfc5208>.
[RC5] Rivest, R.L., "The RC5 encryption algorithm", In Proceedings of the Second International Workshop on Fast Software Encryption, pages 86-96, Springer-Verlag, DOI 10.1007/3-540-60590-8_7, 1994.
[RC5]Rivest,R.L.,“RC5加密算法”,第二届快速软件加密国际研讨会论文集,第86-96页,Springer Verlag,DOI 10.1007/3-540-60590-8_7,1994年。
[RFC1319] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, DOI 10.17487/RFC1319, April 1992, <http://www.rfc-editor.org/info/rfc1319>.
[RFC1319]Kaliski,B.,“MD2消息摘要算法”,RFC 1319,DOI 10.17487/RFC1319,1992年4月<http://www.rfc-editor.org/info/rfc1319>.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, DOI 10.17487/RFC1321, April 1992, <http://www.rfc-editor.org/info/rfc1321>.
[RFC1321]Rivest,R.,“MD5消息摘要算法”,RFC 1321,DOI 10.17487/RFC1321,1992年4月<http://www.rfc-editor.org/info/rfc1321>.
[RFC1423] Balenson, D., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, DOI 10.17487/RFC1423, February 1993, <http://www.rfc-editor.org/info/rfc1423>.
[RFC1423]Balenson,D.,“互联网电子邮件的隐私增强:第三部分:算法、模式和标识符”,RFC 1423,DOI 10.17487/RFC1423,1993年2月<http://www.rfc-editor.org/info/rfc1423>.
[RFC2040] Baldwin, R. and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms", RFC 2040, DOI 10.17487/RFC2040, October 1996, <http://www.rfc-editor.org/info/rfc2040>.
[RFC2040]Baldwin,R.和R.Rivest,“RC5、RC5-CBC、RC5-CBC Pad和RC5-CTS算法”,RFC 2040,DOI 10.17487/RFC2040,1996年10月<http://www.rfc-editor.org/info/rfc2040>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, <http://www.rfc-editor.org/info/rfc2104>.
[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,DOI 10.17487/RFC2104,1997年2月<http://www.rfc-editor.org/info/rfc2104>.
[RFC2268] Rivest, R., "A Description of the RC2(r) Encryption Algorithm", RFC 2268, DOI 10.17487/RFC2268, March 1998, <http://www.rfc-editor.org/info/rfc2268>.
[RFC2268]Rivest,R.,“RC2(R)加密算法的描述”,RFC 2268,DOI 10.17487/RFC2268,1998年3月<http://www.rfc-editor.org/info/rfc2268>.
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, DOI 10.17487/RFC2898, September 2000, <http://www.rfc-editor.org/info/rfc2898>.
[RFC2898]Kaliski,B.,“PKCS#5:基于密码的加密规范2.0版”,RFC 2898,DOI 10.17487/RFC2898,2000年9月<http://www.rfc-editor.org/info/rfc2898>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,DOI 10.17487/RFC3629,2003年11月<http://www.rfc-editor.org/info/rfc3629>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, <http://www.rfc-editor.org/info/rfc5652>.
[RFC5652]Housley,R.,“加密消息语法(CMS)”,STD 70,RFC 5652,DOI 10.17487/RFC5652,2009年9月<http://www.rfc-editor.org/info/rfc5652>.
[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI 10.17487/RFC5958, August 2010, <http://www.rfc-editor.org/info/rfc5958>.
[RFC5958]Turner,S.,“非对称密钥包”,RFC 5958,DOI 10.17487/RFC5958,2010年8月<http://www.rfc-editor.org/info/rfc5958>.
[RFC6149] Turner, S. and L. Chen, "MD2 to Historic Status", RFC 6149, DOI 10.17487/RFC6149, March 2011, <http://www.rfc-editor.org/info/rfc6149>.
[RFC6149]Turner,S.和L.Chen,“MD2历史地位”,RFC 6149,DOI 10.17487/RFC6149,2011年3月<http://www.rfc-editor.org/info/rfc6149>.
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms", RFC 6151, DOI 10.17487/RFC6151, March 2011, <http://www.rfc-editor.org/info/rfc6151>.
[RFC6151]Turner,S.和L.Chen,“MD5消息摘要和HMAC-MD5算法的更新安全注意事项”,RFC 6151,DOI 10.17487/RFC6151,2011年3月<http://www.rfc-editor.org/info/rfc6151>.
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, <http://www.rfc-editor.org/info/rfc6194>.
[RFC6194]Polk,T.,Chen,L.,Turner,S.,和P.Hoffman,“SHA-0和SHA-1消息摘要算法的安全考虑”,RFC 6194,DOI 10.17487/RFC6194,2011年3月<http://www.rfc-editor.org/info/rfc6194>.
[WANG] Wang, X., Yao, A.C., and F. Yao, "Cryptanalysis on SHA-1", presented by Adi Shamir at the rump session of CRYPTO 2005, <http://csrc.nist.gov/groups/ST/hash/documents/ Wang_SHA1-New-Result.pdf>.
[WANG]WANG,X.,Yao,A.C.和F.Yao,“SHA-1的密码分析”,由Adi Shamir在CRYPTO 2005的尾部会议上提出<http://csrc.nist.gov/groups/ST/hash/documents/ 王朔1-New-Result.pdf>。
[WU] Wu, T., "The Secure Remote Password protocol", In Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, pages 97-111, Internet Society, 1998, <https://www.isoc.org/isoc/conferences/ndss/98/wu.pdf>.
[WU]WU,T.,“安全远程密码协议”,1998年互联网协会网络和分布式系统安全研讨会论文集,第97-111页,互联网协会,1998年<https://www.isoc.org/isoc/conferences/ndss/98/wu.pdf>.
This section defines ASN.1 syntax for the key derivation functions, the encryption schemes, the message authentication scheme, and supporting techniques. The intended application of these definitions includes PKCS #8 and other syntax for key management, encrypted data, and integrity-protected data. (Various aspects of ASN.1 are specified in several ISO/IEC standards [ISO8824-1] [ISO8824-2] [ISO8824-3] [ISO8824-4].)
本节定义了密钥派生函数、加密方案、消息身份验证方案和支持技术的ASN.1语法。这些定义的预期应用包括PKCS#8和用于密钥管理、加密数据和完整性保护数据的其他语法。(几个ISO/IEC标准[ISO8824-1][ISO8824-2][ISO8824-3][ISO8824-4]中规定了ASN.1的各个方面。)
The object identifier pkcs-5 identifies the arc of the OID tree from which the OIDs (specific to PKCS #5) in this section are derived:
对象标识符pkcs-5标识OID树的弧,本节中的OID(特定于pkcs#5)是从该弧派生的:
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1} pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1} pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
No object identifier is given for PBKDF1, as the object identifiers for PBES1 are sufficient for existing applications, and PBKDF2 is recommended for new applications.
没有为PBKDF1提供对象标识符,因为PBES1的对象标识符对于现有应用程序来说已经足够了,而PBKDF2推荐用于新应用程序。
The object identifier id-PBKDF2 identifies the PBKDF2 key derivation function (Section 5.2).
对象标识符id-PBKDF2标识PBKDF2密钥派生函数(第5.2节)。
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type PBKDF2-params:
算法标识符中与此OID相关的参数字段应具有PBKDF2参数类型:
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
The fields of type PBKDF2-params have the following meanings:
PBKDF2 params类型的字段具有以下含义:
- salt specifies the salt value or the source of the salt value. It shall either be an octet string or an algorithm ID with an OID in the set PBKDF2-SaltSources, which is reserved for future versions of PKCS #5.
- salt指定salt值或salt值的来源。它应该是一个八位字节字符串,或者是一个算法ID,在集合PBKDF2 SaltSources中有一个OID,这是为PKCS#5的未来版本保留的。
The salt-source approach is intended to indicate how the salt value is to be generated as a function of parameters in the algorithm ID, application data, or both. For instance, it may indicate that the salt value is produced from the encoding of a structure that specifies detailed information about the derived key as suggested in Section 4.1. Some of the information may be carried elsewhere, e.g., in the encryption algorithm ID. However, such facilities are deferred to a future version of PKCS #5.
salt源方法旨在指示如何根据算法ID、应用程序数据或两者中的参数生成salt值。例如,它可能表示salt值是通过编码一个结构产生的,该结构指定了第4.1节中建议的有关派生密钥的详细信息。一些信息可能会被带到其他地方,例如加密算法ID中。但是,这些设施会推迟到PKCS#5的未来版本。
In this version, an application may achieve the benefits mentioned in Section 4.1 by choosing a particular interpretation of the salt value in the specified alternative.
在本版本中,应用程序可通过在指定替代方案中选择盐值的特定解释来实现第4.1节中提到的好处。
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
- iterationCount specifies the iteration count. The maximum iteration count allowed depends on the implementation. It is expected that implementation profiles may further constrain the bounds.
- iterationCount指定迭代计数。允许的最大迭代次数取决于实现。预计实现概要文件可能会进一步限制边界。
- keyLength, an optional field, is the length in octets of the derived key. The maximum key length allowed depends on the implementation; it is expected that implementation profiles may further constrain the bounds. The field is provided for convenience only; the key length is not cryptographically protected. If there is concern about interaction between operations with different key lengths for a given salt (see Section 4.1), the salt should distinguish among the different key lengths.
- keyLength是一个可选字段,是派生密钥的长度(以八位字节为单位)。允许的最大密钥长度取决于实现;预计实现概要文件可能会进一步限制边界。该字段仅为方便而提供;密钥长度不受加密保护。如果对给定salt的不同键长操作之间的相互作用存在顾虑(见第4.1节),salt应区分不同键长。
- prf identifies the underlying pseudorandom function. It shall be an algorithm ID with an OID in the set PBKDF2-PRFs, which for this version of PKCS #5 shall consist of id-hmacWithSHA1 (see Appendix B.1.1) and any other OIDs defined by the application.
- prf识别底层伪随机函数。它应该是一个算法ID,在PBKDF2 PRFs集合中有一个OID,对于本版本的PKCS#5,它应该由ID-hmacWithSHA1(见附录B.1.1)和应用程序定义的任何其他OID组成。
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, {NULL IDENTIFIED BY id-hmacWithSHA224}, {NULL IDENTIFIED BY id-hmacWithSHA256}, {NULL IDENTIFIED BY id-hmacWithSHA384}, {NULL IDENTIFIED BY id-hmacWithSHA512}, {NULL IDENTIFIED BY id-hmacWithSHA512-224}, {NULL IDENTIFIED BY id-hmacWithSHA512-256}, ... }
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, {NULL IDENTIFIED BY id-hmacWithSHA224}, {NULL IDENTIFIED BY id-hmacWithSHA256}, {NULL IDENTIFIED BY id-hmacWithSHA384}, {NULL IDENTIFIED BY id-hmacWithSHA512}, {NULL IDENTIFIED BY id-hmacWithSHA512-224}, {NULL IDENTIFIED BY id-hmacWithSHA512-256}, ... }
The default pseudorandom function is HMAC-SHA-1:
默认的伪随机函数为HMAC-SHA-1:
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
Different object identifiers identify the PBES1 encryption scheme (Section 6.1) according to the underlying hash function in the key derivation function and the underlying block cipher, as summarized in the following table:
不同的对象标识符根据密钥派生函数中的底层哈希函数和底层分组密码识别PBES1加密方案(第6.1节),如下表所示:
Hash Function Block Cipher OID MD2 DES pkcs-5.1 MD2 RC2 pkcs-5.4 MD5 DES pkcs-5.3 MD5 RC2 pkcs-5.6 SHA-1 DES pkcs-5.10 SHA-1 RC2 pkcs-5.11
散列函数分组密码OID MD2 DES pkcs-5.1 MD2 RC2 pkcs-5.4 MD5 DES pkcs-5.3 MD5 RC2 pkcs-5.6 SHA-1 DES pkcs-5.10 SHA-1 RC2 pkcs-5.11
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
For each OID, the parameters field associated with the OID in an AlgorithmIdentifier shall have type PBEParameter:
对于每个OID,算法标识符中与OID相关的参数字段应具有PBEParameter类型:
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
The fields of type PBEParameter have the following meanings:
PBEParameter类型的字段具有以下含义:
- salt specifies the salt value, an eight-octet string.
- salt指定salt值,一个八位字节的字符串。
- iterationCount specifies the iteration count.
- iterationCount指定迭代计数。
The object identifier id-PBES2 identifies the PBES2 encryption scheme (Section 6.2).
对象标识符id-PBES2标识PBES2加密方案(第6.2节)。
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type PBES2-params:
算法标识符中与此OID相关的参数字段应具有PBES2参数类型:
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
The fields of type PBES2-params have the following meanings:
PBES2 params类型的字段具有以下含义:
- keyDerivationFunc identifies the underlying key derivation function. It shall be an algorithm ID with an OID in the set PBES2-KDFs, which for this version of PKCS #5 shall consist of id-PBKDF2 (Appendix A.2).
- keyDerivationFunc标识基础密钥派生函数。它应该是一个算法ID,在PBES2 KDF集合中有一个OID,对于这个版本的PKCS#5,它应该由ID-PBKDF2组成(附录A.2)。
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
- encryptionScheme identifies the underlying encryption scheme. It shall be an algorithm ID with an OID in the set PBES2-Encs, whose definition is left to the application. Examples of underlying encryption schemes are given in Appendix B.2.
- encryptionScheme标识基础加密方案。它应该是一个算法ID,集合PBES2 Encs中有一个OID,其定义留给应用程序。附录B.2中给出了基础加密方案的示例。
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
The object identifier id-PBMAC1 identifies the PBMAC1 message authentication scheme (Section 7.1).
对象标识符id-PBMAC1标识PBMAC1消息认证方案(第7.1节)。
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type PBMAC1-params:
算法标识符中与此OID相关的参数字段应具有PBMAC1型参数:
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}}, messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}}, messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
The keyDerivationFunc field has the same meaning as the corresponding field of PBES2-params (Appendix A.4) except that the set of OIDs is PBMAC1-KDFs.
keyDerivationFunc字段与PBES2参数的相应字段(附录A.4)具有相同的含义,但OID集为PBMAC1 KDFs。
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
The messageAuthScheme field identifies the underlying message authentication scheme. It shall be an algorithm ID with an OID in the set PBMAC1-MACs, whose definition is left to the application. Examples of underlying encryption schemes are given in Appendix B.3.
messageAuthScheme字段标识基础消息身份验证方案。它应该是一个算法ID,在集合PBMAC1 MAC中有一个OID,其定义留给应用程序。附录B.3中给出了基础加密方案的示例。
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
This section gives several examples of underlying functions and schemes supporting the password-based schemes in Sections 5, 6, and 7.
本节给出了支持第5、6和7节中基于密码的方案的基础功能和方案的几个示例。
While these supporting techniques are appropriate for applications to implement, none of them is required to be implemented. It is expected, however, that profiles for PKCS #5 will be developed that specify particular supporting techniques.
虽然这些支持技术适合于应用程序的实现,但它们都不需要实现。然而,预计PKCS#5的配置文件将被开发,以指定特定的支持技术。
This section also gives object identifiers for the supporting techniques. The object identifiers digestAlgorithm and encryptionAlgorithm identify the arcs from which certain algorithm OIDs referenced in this section are derived:
本节还提供了支持技术的对象标识符。对象标识符digestAlgorithm和encryptionAlgorithm识别本节中引用的某些算法OID的派生弧:
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
Examples of pseudorandom function for PBKDF2 (Section 5.2) include HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. Applications may employ other schemes as well.
PBKDF2的伪随机函数示例(第5.2节)包括带有SHA-1、SHA-224、SHA-256、SHA-384、SHA-512、SHA-512/224和SHA-512/256的HMAC。申请亦可采用其他计划。
HMAC-SHA-1 is the pseudorandom function corresponding to the HMAC message authentication code [RFC2104] based on the SHA-1 hash function [NIST180]. The pseudorandom function is the same function by which the message authentication code is computed, with a full-length output. (The first argument to the pseudorandom function PRF serves as HMAC's "key", and the second serves as HMAC's "text". In the case of PBKDF2, the "key" is thus the password and the "text" is the salt.) HMAC-SHA-1 has a variable key length and a 20-octet (160-bit) output value.
HMAC-SHA-1是与基于SHA-1哈希函数[NIST180]的HMAC消息认证码[RFC2104]相对应的伪随机函数。伪随机函数与计算消息身份验证码的函数相同,具有全长输出。(伪随机函数PRF的第一个参数用作HMAC的“密钥”,第二个参数用作HMAC的“文本”。在PBKDF2的情况下,“密钥”因此是密码,“文本”是盐。)HMAC-SHA-1具有可变密钥长度和20个八位组(160位)的输出值。
Although the length of the key to HMAC-SHA-1 is essentially unbounded, the effective search space for pseudorandom function outputs may be limited by the structure of the function. In particular, when the key is longer than 512 bits, HMAC-SHA-1 will first hash it to 160 bits. Thus, even if a long derived key consisting of several pseudorandom function outputs is produced from a key, the effective search space for the derived key will be at most 160 bits. Although the specific limitation for other key sizes depends on details of the HMAC construction, one should assume, to be conservative, that the effective search space is limited to 160 bits for other key sizes as well.
尽管HMAC-SHA-1密钥的长度基本上是无界的,但伪随机函数输出的有效搜索空间可能受到函数结构的限制。特别是,当密钥长度超过512位时,HMAC-SHA-1将首先将其散列到160位。因此,即使从密钥生成由多个伪随机函数输出组成的长派生密钥,该派生密钥的有效搜索空间将最多为160位。尽管其他密钥大小的具体限制取决于HMAC构造的细节,但保守地说,对于其他密钥大小,有效搜索空间也应限制为160位。
(The 160-bit limitation should not generally pose a practical limitation in the case of password-based cryptography, since the search space for a password is unlikely to be greater than 160 bits.)
(对于基于密码的加密,160位限制通常不应构成实际限制,因为密码的搜索空间不太可能大于160位。)
The object identifier id-hmacWithSHA1 identifies the HMAC-SHA-1 pseudorandom function:
对象标识符id-hmacWithSHA1标识HMAC-SHA-1伪随机函数:
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type NULL. This object identifier is employed in the object set PBKDF2-PRFs (Appendix A.2).
算法标识符中与此OID关联的参数字段的类型应为NULL。该对象标识符用于对象集PBKDF2 PRFs(附录A.2)。
Note: Although HMAC-SHA-1 was designed as a message authentication code, its proof of security is readily modified to accommodate requirements for a pseudorandom function, under stronger assumptions. A hash function may also meet the requirements of a pseudorandom function under certain assumptions. For instance, the direct
注:尽管HMAC-SHA-1被设计为一种消息身份验证代码,但在更严格的假设下,其安全性证明很容易修改,以适应伪随机函数的要求。在某些假设下,哈希函数也可以满足伪随机函数的要求。例如,直接
application of a hash function to the concatenation of the "key" and the "text" may be appropriate, provided that "text" has appropriate structure to prevent certain attacks. HMAC-SHA-1 is preferable, however, because it treats "key" and "text" as separate arguments and does not require "text" to have any structure.
将哈希函数应用于“键”和“文本”的串联可能是适当的,前提是“文本”具有适当的结构以防止某些攻击。然而,HMAC-SHA-1更可取,因为它将“键”和“文本”视为单独的参数,并且不要求“文本”具有任何结构。
During 2004 and 2005, there were a number of attacks on SHA-1 that reduced its perceived effective strength against collision attacks to 62 bits instead of the expected 80 bits (e.g., Wang et al. [WANG], confirmed by M. Cochran [COCHRAN]). However, since these attacks centered on finding collisions between values, they are not a direct security consideration here because the collision-resistant property is not required by the HMAC authentication scheme.
在2004年和2005年期间,对SHA-1进行了多次攻击,使其抗碰撞攻击的感知有效强度降低到62位,而不是预期的80位(例如,Wang等人[Wang],由M.Cochran[Cochran]证实)。但是,由于这些攻击集中于查找值之间的冲突,因此它们不是直接的安全考虑因素,因为HMAC身份验证方案不需要抗冲突属性。
HMAC-SHA-2 refers to the set of pseudorandom functions corresponding to the HMAC message authentication code (now a FIPS standard [NIST198]) based on the new SHA-2 functions (FIPS 180-4 [NIST180]). HMAC-SHA-2 has a variable key length and variable output value depending on the hash function chosen (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256) -- that is, 28, 32, 48, or 64 octets.
HMAC-SHA-2是指与基于新SHA-2函数(FIPS 180-4[NIST180])的HMAC消息认证码(现在是FIPS标准[NIST198])相对应的伪随机函数集。HMAC-SHA-2具有可变的密钥长度和可变的输出值,具体取决于所选的哈希函数(SHA-224、SHA-256、SHA-384、SHA-512、SHA-512/224或SHA-512/256)——即28、32、48或64个八位字节。
Using the new hash functions extends the search space for the produced keys. Where SHA-1 limits the search space to 20 octets, SHA-2 sets new limits of 28, 32, 48, and 64 octets.
使用新的散列函数可以扩展生成密钥的搜索空间。SHA-1将搜索空间限制为20个八位字节,SHA-2将新的限制设置为28、32、48和64个八位字节。
Object identifiers for HMAC are defined as follows:
HMAC的对象标识符定义如下:
id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} id-hmacWithSHA512-224 OBJECT IDENTIFIER ::= {digestAlgorithm 12} id-hmacWithSHA512-256 OBJECT IDENTIFIER ::= {digestAlgorithm 13}
id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} id-hmacWithSHA512-224 OBJECT IDENTIFIER ::= {digestAlgorithm 12} id-hmacWithSHA512-256 OBJECT IDENTIFIER ::= {digestAlgorithm 13}
An example encryption scheme for PBES2 (Section 6.2) is AES-CBC-Pad. The schemes defined in PKCS #5 v2.0 [RFC2898], DES-CBC-Pad, DES-EDE3-CBC-Pad, RC2-CBC-Pad, and RC5-CBC-Pad, are still supported, but DES-CBC-Pad, DES-EDE3-CBC-Pad, RC2-CBC-Pad are now considered legacy and should only be used for backwards compatibility reasons.
PBES2的一个示例加密方案(第6.2节)是AES CBC Pad。PKCS#5 v2.0[RFC2898]中定义的方案、DES CBC Pad、DES-EDE3-CBC-Pad、RC2 CBC Pad和RC5 CBC Pad仍受支持,但DES CBC Pad、DES-EDE3-CBC-Pad、RC2 CBC Pad现在被视为遗留方案,仅用于向后兼容性。
The object identifiers given in this section are intended to be employed in the object set PBES2-Encs (Appendix A.4).
本节中给出的对象标识符拟用于对象集PBES2 Encs(附录A.4)。
DES-CBC-Pad is single-key DES [NIST46] in CBC mode [NIST81] with the padding operation specified in RFC 1423 [RFC1423] (see Section 6.1.1 of this document). DES-CBC-Pad has an eight-octet encryption key and an eight-octet initialization vector. The key is considered as a 64-bit encoding of a 56-bit DES key with parity bits ignored.
DES CBC Pad是CBC模式[NIST81]下的单键DES[NIST46],具有RFC 1423[RFC1423]中规定的填充操作(参见本文件第6.1.1节)。DES CBC Pad具有八个八位字节的加密密钥和八个八位字节的初始化向量。该密钥被视为56位DES密钥的64位编码,奇偶校验位被忽略。
The object identifier desCBC (defined in the NIST/OSI Implementors' Workshop agreements) identifies the DES-CBC-Pad encryption scheme:
对象标识符desCBC(在NIST/OSI实施者研讨会协议中定义)标识DES CBC Pad加密方案:
desCBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7}
desCBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 7}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)), specifying the initialization vector for CBC mode.
算法标识符中与此OID相关联的参数字段应具有类型八位字符串(大小(8)),用于指定CBC模式的初始化向量。
DES-EDE3-CBC-Pad is three-key triple-DES in CBC mode [ANSIX952] with the padding operation specified in RFC 1423 [RFC1423]. DES-EDE3-CBC-Pad has a 24-octet encryption key and an eight-octet initialization vector. The key is considered as the concatenation of three eight-octet keys, each of which is a 64-bit encoding of a 56-bit DES key with parity bits ignored.
DES-EDE3-CBC-Pad是CBC模式[ANSIX952]下的三键三重DES,具有RFC 1423[RFC1423]中规定的填充操作。DES-EDE3-CBC-Pad具有24个八位字节的加密密钥和8个八位字节的初始化向量。该密钥被视为三个八位八位组密钥的串联,每个密钥是56位DES密钥的64位编码,奇偶校验位被忽略。
The object identifier des-EDE3-CBC identifies the DES-EDE3-CBC-Pad encryption scheme:
对象标识符des-EDE3-CBC标识des-EDE3-CBC-Pad加密方案:
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type OCTET STRING (SIZE(8)), specifying the initialization vector for CBC mode.
算法标识符中与此OID相关联的参数字段应具有类型八位字符串(大小(8)),用于指定CBC模式的初始化向量。
Note: An OID for DES-EDE3-CBC without padding is given in ANSI X9.52 [ANSIX952]; the one given here is preferred since it specifies padding.
注:ANSI X9.52[ANSIX952]中给出了不带填充的DES-EDE3-CBC的OID;这里给出的一个是首选的,因为它指定了填充。
RC2-CBC-Pad is the RC2 encryption algorithm [RFC2268] in CBC mode with the padding operation specified in RFC 1423 [RFC1423]. RC2-CBC-Pad has a variable key length, from one to 128 octets, a separate "effective key bits" parameter from one to 1024 bits that
RC2 CBC Pad是CBC模式下的RC2加密算法[RFC2268],具有RFC 1423[RFC1423]中指定的填充操作。RC2 CBC Pad有一个从1到128个八位字节的可变密钥长度,一个从1到1024位的单独“有效密钥位”参数,用于
limits the effective search space independent of the key length, and an eight-octet initialization vector.
限制与密钥长度无关的有效搜索空间,以及八个八位字节的初始化向量。
The object identifier rc2CBC identifies the RC2-CBC-Pad encryption scheme:
对象标识符rc2CBC标识RC2 CBC Pad加密方案:
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
The parameters field associated with OID in an AlgorithmIdentifier shall have type RC2-CBC-Parameter:
算法标识符中与OID相关的参数字段应具有类型RC2 CBC参数:
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
The fields of type RC2-CBCParameter have the following meanings:
RC2 CBC参数类型的字段具有以下含义:
- rc2ParameterVersion is a proprietary RSA Security Inc. encoding of the "effective key bits" for RC2. The following encodings are defined:
- rc2ParameterVersion是RSA Security Inc.专有的RC2“有效密钥位”编码。定义了以下编码:
Effective Key Bits Encoding 40 160 64 120 128 58 b >= 256 b
有效密钥位编码40 160 64 120 128 58 b>=256 b
If the rc2ParameterVersion field is omitted, the "effective key bits" defaults to 32. (This is for backward compatibility with certain very old implementations.)
如果省略rc2ParameterVersion字段,“有效密钥位”默认为32。(这是为了向后兼容某些非常旧的实现。)
- iv is the eight-octet initialization vector.
- iv是八个八位组的初始化向量。
RC5-CBC-Pad is the RC5 encryption algorithm [RC5] in CBC mode with the padding operation specified in RFC 5652 [RFC5652], which is a generalization of the padding operation specified in RFC 1423 [RFC1423]. The scheme is fully specified in [RFC2040]. RC5-CBC-Pad has a variable key length, from 0 to 256 octets, and supports both a 64-bit block size and a 128-bit block size. For the former, it has an eight-octet initialization vector, and for the latter, a 16-octet initialization vector. RC5-CBC-Pad also has a variable number of "rounds" in the encryption operation, from 8 to 127.
RC5 CBC Pad是CBC模式下的RC5加密算法[RC5],具有RFC 5652[RFC5652]中指定的填充操作,它是RFC 1423[RFC1423]中指定填充操作的推广。该方案在[RFC2040]中有详细说明。RC5 CBC Pad具有可变密钥长度,从0到256个八位字节,并支持64位块大小和128位块大小。对于前者,它有一个8个八位字节的初始化向量,对于后者,它有一个16个八位字节的初始化向量。RC5 CBC Pad在加密操作中也有可变的“轮数”,从8到127。
Note: For RC5 with a 64-bit block size, the padding string is as defined in RFC 1423 [RFC1423]. For RC5 with a 128-bit block size, the padding string consists of 16-(||M|| mod 16) octets each with value 16-(||M|| mod 16).
注意:对于具有64位块大小的RC5,填充字符串如RFC 1423[RFC1423]中所定义。对于具有128位块大小的RC5,填充字符串由16-(| M | mod 16)个八位字节组成,每个八位字节的值为16-(| M | mod 16)。
The object identifier rc5-CBC-PAD [RFC2040] identifies the RC5-CBC-Pad encryption scheme:
对象标识符rc5 CBC PAD[RFC2040]标识rc5 CBC PAD加密方案:
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type RC5-CBC-Parameters:
算法标识符中与此OID相关的参数字段应具有RC5型CBC参数:
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
The fields of type RC5-CBC-Parameters have the following meanings:
RC5 CBC参数类型的字段具有以下含义:
- version is the version of the algorithm, which shall be v1-0.
- version为算法版本,应为v1-0。
- rounds is the number of rounds in the encryption operation, which shall be between 8 and 127.
- rounds是加密操作中的轮数,应介于8和127之间。
- blockSizeInBits is the block size in bits, which shall be 64 or 128.
- blockSizeInBits是以位为单位的块大小,应为64或128。
- iv is the initialization vector, an eight-octet string for 64-bit RC5 and a 16-octet string for 128-bit RC5. The default is a string of the appropriate length consisting of zero octets.
- iv是初始化向量,64位RC5为8个八位字符串,128位RC5为16个八位字符串。默认值是由零个八位字节组成的适当长度的字符串。
AES-CBC-Pad is the AES encryption algorithm [NIST197] in CBC mode with the padding operation specified in RFC 5652 [RFC5652]. AES-CBC-Pad has a variable key length of 16, 24, or 32 octets and has a 16-octet block size. It has a 16-octet initialization vector.
AES CBC Pad是CBC模式下的AES加密算法[NIST197],具有RFC 5652[RFC5652]中指定的填充操作。AES CBC Pad具有16、24或32个八位字节的可变密钥长度,并且具有16个八位字节的块大小。它有一个16个八位组的初始化向量。
Note: For AES, the padding string consists of 16-(||M|| mod 16) octets each with value 16-(||M|| mod 16).
注意:对于AES,填充字符串由16-(| | M | | mod 16)个八位字节组成,每个八位字节的值为16-(| | M | | mod 16)。
For AES, object identifiers are defined depending on key size and operation mode. For example, the 16-octet (128-bit) key AES encryption scheme in CBC mode would be aes128-CBC-Pad identifying the AES-CBC-PAD encryption scheme using a 16-octet key:
对于AES,根据密钥大小和操作模式定义对象标识符。例如,CBC模式下的16八位(128位)密钥AES加密方案将是aes128 CBC Pad,使用16八位密钥识别AES-CBC-Pad加密方案:
aes128-CBC-PAD OBJECT IDENTIFIER ::= {aes 2}
aes128-CBC-PAD OBJECT IDENTIFIER ::= {aes 2}
The AES object identifier is defined in Appendix C.
AES对象标识符在附录C中定义。
The parameters field associated with this OID in an AlgorithmIdentifier shall have type OCTET STRING (SIZE(16)), specifying the initialization vector for CBC mode.
算法标识符中与该OID相关联的参数字段应具有类型八位字符串(大小(16)),用于指定CBC模式的初始化向量。
An example message authentication scheme for PBMAC1 (Section 7.1) is HMAC-SHA-1.
PBMAC1(第7.1节)的消息认证方案示例为HMAC-SHA-1。
HMAC-SHA-1 is the HMAC message authentication scheme [RFC2104] based on the SHA-1 hash function [NIST180]. HMAC-SHA-1 has a variable key length and a 20-octet (160-bit) message authentication code.
HMAC-SHA-1是基于SHA-1哈希函数[NIST180]的HMAC消息身份验证方案[RFC2104]。HMAC-SHA-1具有可变密钥长度和20个八位字节(160位)的消息身份验证码。
The object identifier id-hmacWithSHA1 (see Appendix B.1.1) identifies the HMAC-SHA-1 message authentication scheme. (The object identifier is the same for both the pseudorandom function and the message authentication scheme; the distinction is to be understood by context.) This object identifier is intended to be employed in the object set PBMAC1-Macs (Appendix A.5).
对象标识符id-hmacWithSHA1(见附录B.1.1)标识HMAC-SHA-1消息认证方案。(伪随机函数和消息认证方案的对象标识符相同;区别由上下文理解。)该对象标识符用于对象集PBMAC1 MAC(附录A.5)。
HMAC-SHA-2 refers to the set of HMAC message authentication schemes [NIST198] based on the SHA-2 functions [NIST180]. HMAC-SHA-2 has a variable key length and a message authentication code whose length is based on the hash function chosen (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256) -- that is, 28, 32, 48, or 64 octets.
HMAC-SHA-2是指基于SHA-2函数[NIST180]的一组HMAC消息认证方案[NIST198]。HMAC-SHA-2具有可变密钥长度和消息身份验证码,其长度基于所选哈希函数(SHA-224、SHA-256、SHA-384、SHA-512、SHA-512/224或SHA-512/256)——即28、32、48或64个八位字节。
The object identifiers id-hmacWithSHA224, id-hmacWithSHA256, id-hmacWithSHA384, id-hmacWithSHA512, id-hmacWithSHA512-224, and id-hmacWithSHA512-256 (see Appendix B.1.2) identify the HMAC-SHA-2 schemes. The object identifiers are the same for both the pseudorandom functions and the message authentication schemes; the distinction is to be understood by context. These object identifiers are intended to be employed in the object set PBMAC1-Macs (Appendix A.5).
对象标识符id-hmacWithSHA224、id-hmacWithSHA256、id-hmacWithSHA384、id-hmacWithSHA512、id-hmacWithSHA512-224和id-hmacWithSHA512-256(见附录B.1.2)标识HMAC-SHA-2方案。伪随机函数和消息认证方案的对象标识符都相同;区别在于语境。这些对象标识符拟用于对象集PBMAC1 MAC(附录A.5)。
For reference purposes, the ASN.1 syntax in the preceding sections is presented as an ASN.1 module here.
为了便于参考,前面几节中的ASN.1语法在这里作为ASN.1模块提供。
-- PKCS #5 v2.1 ASN.1 Module -- Revised October 27, 2012
-- PKCS #5 v2.1 ASN.1 Module -- Revised October 27, 2012
-- This module has been checked for conformance with the -- ASN.1 standard by the OSS ASN.1 Tools
-- This module has been checked for conformance with the -- ASN.1 standard by the OSS ASN.1 Tools
PKCS5v2-1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-5(5) modules(16) pkcs5v2-1(2) }
PKCS5v2-1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-5(5) modules(16) pkcs5v2-1(2) }
DEFINITIONS EXPLICIT TAGS ::=
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
开始
-- ======================== -- Basic object identifiers -- ========================
-- ======================== -- Basic object identifiers -- ========================
nistAlgorithms OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4} oiw OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) 14} rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1} pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
nistAlgorithms OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4} oiw OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) 14} rsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549} pkcs OBJECT IDENTIFIER ::= {rsadsi 1} pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}
-- ======================= -- Basic types and classes -- =======================
-- ======================= -- Basic types and classes -- =======================
AlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::= SEQUENCE { algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}), parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet} {@algorithm}) OPTIONAL }
AlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::= SEQUENCE { algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}), parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet} {@algorithm}) OPTIONAL }
ALGORITHM-IDENTIFIER ::= TYPE-IDENTIFIER
ALGORITHM-IDENTIFIER ::= TYPE-IDENTIFIER
-- ====== -- PBKDF2 -- ======
-- ====== -- PBKDF2 -- ======
PBKDF2Algorithms ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBKDF2Algorithms ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
algid-hmacWithSHA1 AlgorithmIdentifier {{PBKDF2-PRFs}} ::= {algorithm id-hmacWithSHA1, parameters NULL : NULL}
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgorithmIdentifier {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, {NULL IDENTIFIED BY id-hmacWithSHA224}, {NULL IDENTIFIED BY id-hmacWithSHA256}, {NULL IDENTIFIED BY id-hmacWithSHA384}, {NULL IDENTIFIED BY id-hmacWithSHA512}, {NULL IDENTIFIED BY id-hmacWithSHA512-224}, {NULL IDENTIFIED BY id-hmacWithSHA512-256}, ... }
PBKDF2-PRFs ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1}, {NULL IDENTIFIED BY id-hmacWithSHA224}, {NULL IDENTIFIED BY id-hmacWithSHA256}, {NULL IDENTIFIED BY id-hmacWithSHA384}, {NULL IDENTIFIED BY id-hmacWithSHA512}, {NULL IDENTIFIED BY id-hmacWithSHA512-224}, {NULL IDENTIFIED BY id-hmacWithSHA512-256}, ... }
-- ===== -- PBES1 -- =====
-- ===== -- PBES1 -- =====
PBES1Algorithms ALGORITHM-IDENTIFIER ::= { {PBEParameter IDENTIFIED BY pbeWithMD2AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD2AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndRC2-CBC}, ... }
PBES1Algorithms ALGORITHM-IDENTIFIER ::= { {PBEParameter IDENTIFIED BY pbeWithMD2AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD2AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithMD5AndRC2-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndDES-CBC} | {PBEParameter IDENTIFIED BY pbeWithSHA1AndRC2-CBC}, ... }
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1} pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4} pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3} pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6} pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10} pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
PBEParameter ::= SEQUENCE { salt OCTET STRING (SIZE(8)), iterationCount INTEGER }
-- ===== -- PBES2 -- =====
-- ===== -- PBES2 -- =====
PBES2Algorithms ALGORITHM-IDENTIFIER ::= { {PBES2-params IDENTIFIED BY id-PBES2}, ... }
PBES2Algorithms ALGORITHM-IDENTIFIER ::= { {PBES2-params IDENTIFIED BY id-PBES2}, ... }
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
PBES2-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}}, encryptionScheme AlgorithmIdentifier {{PBES2-Encs}} }
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBES2-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }
-- ====== -- PBMAC1 -- ======
-- ====== -- PBMAC1 -- ======
PBMAC1Algorithms ALGORITHM-IDENTIFIER ::= { {PBMAC1-params IDENTIFIED BY id-PBMAC1}, ... }
PBMAC1Algorithms ALGORITHM-IDENTIFIER ::= { {PBMAC1-params IDENTIFIED BY id-PBMAC1}, ... }
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}},
PBMAC1-params ::= SEQUENCE { keyDerivationFunc AlgorithmIdentifier {{PBMAC1-KDFs}},
messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
messageAuthScheme AlgorithmIdentifier {{PBMAC1-MACs}} }
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBMAC1-KDFs ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }
-- ===================== -- Supporting techniques -- =====================
-- ===================== -- Supporting techniques -- =====================
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
digestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2} encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}
SupportingAlgorithms ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1} | {OCTET STRING (SIZE(8)) IDENTIFIED BY desCBC} | {OCTET STRING (SIZE(8)) IDENTIFIED BY des-EDE3-CBC} | {RC2-CBC-Parameter IDENTIFIED BY rc2CBC} | {RC5-CBC-Parameters IDENTIFIED BY rc5-CBC-PAD}, | {OCTET STRING (SIZE(16)) IDENTIFIED BY aes128-CBC-PAD} | {OCTET STRING (SIZE(16)) IDENTIFIED BY aes192-CBC-PAD} | {OCTET STRING (SIZE(16)) IDENTIFIED BY aes256-CBC-PAD}, ... }
SupportingAlgorithms ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-hmacWithSHA1} | {OCTET STRING (SIZE(8)) IDENTIFIED BY desCBC} | {OCTET STRING (SIZE(8)) IDENTIFIED BY des-EDE3-CBC} | {RC2-CBC-Parameter IDENTIFIED BY rc2CBC} | {RC5-CBC-Parameters IDENTIFIED BY rc5-CBC-PAD}, | {OCTET STRING (SIZE(16)) IDENTIFIED BY aes128-CBC-PAD} | {OCTET STRING (SIZE(16)) IDENTIFIED BY aes192-CBC-PAD} | {OCTET STRING (SIZE(16)) IDENTIFIED BY aes256-CBC-PAD}, ... }
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7} id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} id-hmacWithSHA512-224 OBJECT IDENTIFIER ::= {digestAlgorithm 12} id-hmacWithSHA512-256 OBJECT IDENTIFIER ::= {digestAlgorithm 13}
id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7} id-hmacWithSHA224 OBJECT IDENTIFIER ::= {digestAlgorithm 8} id-hmacWithSHA256 OBJECT IDENTIFIER ::= {digestAlgorithm 9} id-hmacWithSHA384 OBJECT IDENTIFIER ::= {digestAlgorithm 10} id-hmacWithSHA512 OBJECT IDENTIFIER ::= {digestAlgorithm 11} id-hmacWithSHA512-224 OBJECT IDENTIFIER ::= {digestAlgorithm 12} id-hmacWithSHA512-256 OBJECT IDENTIFIER ::= {digestAlgorithm 13}
desCBC OBJECT IDENTIFIER ::= {oiw secsig(3) algorithms(2) 7}
desCBC OBJECT IDENTIFIER ::= {oiw secsig(3) algorithms(2) 7}
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
des-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
RC2-CBC-Parameter ::= SEQUENCE { rc2ParameterVersion INTEGER OPTIONAL, iv OCTET STRING (SIZE(8)) }
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9}
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
RC5-CBC-Parameters ::= SEQUENCE { version INTEGER {v1-0(16)} (v1-0), rounds INTEGER (8..127), blockSizeInBits INTEGER (64 | 128), iv OCTET STRING OPTIONAL }
aes OBJECT IDENTIFIER ::= { nistAlgorithms 1 } aes128-CBC-PAD OBJECT IDENTIFIER ::= { aes 2 } aes192-CBC-PAD OBJECT IDENTIFIER ::= { aes 22 } aes256-CBC-PAD OBJECT IDENTIFIER ::= { aes 42 }
aes OBJECT IDENTIFIER ::= { nistAlgorithms 1 } aes128-CBC-PAD OBJECT IDENTIFIER ::= { aes 2 } aes192-CBC-PAD OBJECT IDENTIFIER ::= { aes 22 } aes256-CBC-PAD OBJECT IDENTIFIER ::= { aes 42 }
END
终止
Appendix D. Revision History of PKCS #5
附录D.PKCS的修订历史#5
Versions 1.0 - 1.3
版本1.0-1.3
Versions 1.0 - 1.3 were distributed to participants in RSA Data Security Inc.'s Public-Key Cryptography Standards meetings in February and March 1991.
1991年2月和3月,向RSA Data Security Inc.公钥加密标准会议的与会者分发了版本1.0-1.3。
Version 1.4
版本1.4
Version 1.4 was part of the June 3, 1991 initial public release of PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-20.
版本1.4是1991年6月3日PKCS首次公开发布的一部分。版本1.4发布为NIST/OSI实施者研讨会文件SEC-SIG-91-20。
Version 1.5
版本1.5
Version 1.5 incorporated several editorial changes, including updates to the references and the addition of a revision history.
版本1.5包含了一些编辑性修改,包括对参考文件的更新和添加修订历史记录。
Version 2.0
版本2.0
Version 2.0 incorporates major editorial changes in terms of the document structure, and introduces the PBES2 encryption scheme, the PBMAC1 message authentication scheme, and independent password-based key derivation functions. This version continues to support the encryption process in version 1.5.
版本2.0在文档结构方面进行了重大的编辑更改,并引入了PBES2加密方案、PBMAC1消息身份验证方案和独立的基于密码的密钥派生功能。此版本继续支持1.5版中的加密过程。
Version 2.1
版本2.1
This document transfers PKCS #5 into the IETF and includes some minor changes from the authors for this submission.
本文件将PKCS#5传输到IETF中,并包括本提交文件作者的一些小改动。
o Introduces AES/CBC as an encryption scheme for PBES2 and HMAC with the hash functions SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256 as pseudorandom functions for PBKDF2 and message authentication schemes for PBMAC1.
o 介绍AES/CBC作为PBES2和HMAC的加密方案,哈希函数SHA-224、SHA-256、SHA-384、SHA-512、SHA-512/224和SHA-512/256作为PBKDF2的伪随机函数,以及PBMAC1的消息身份验证方案。
o Changes references for PKCS #5 to RFC 2898 and for PKCS #8 to RFCs 5208 and 5898.
o 将PKCS#5的参考更改为RFC 2898,将PKCS#8的参考更改为RFCs 5208和5898。
o Incorporates corrections of two editorial errata reported on PKCS #5 [RFC2898].
o 合并了PKCS#5[RFC2898]上报告的两个编辑勘误表的更正。
o Added security considerations for MD2, MD5, and SHA-1.
o 添加了MD2、MD5和SHA-1的安全注意事项。
The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptography. First published in 1991 as a result of meetings with a small group of early adopters of public-key technology, the PKCS documents have become widely referenced and implemented. Contributions from the PKCS series have become part of many formal and de facto standards, including ANSI X9 documents, PKIX, Secure Electronic Transaction (SET), S/MIME, and SSL.
公钥加密标准是RSA实验室与全球安全系统开发人员合作制定的规范,旨在加速公钥加密的部署。PKCS文件于1991年首次出版,是与一小群早期采用公钥技术的人举行会议的结果。PKCS文件已被广泛引用和实施。PKCS系列的贡献已成为许多正式和事实标准的一部分,包括ANSI X9文档、PKIX、安全电子交易(SET)、S/MIME和SSL。
Further development of most PKCS documents occurs through the IETF. Suggestions for improvement are welcome.
大多数PKCS文件的进一步开发是通过IETF进行的。欢迎提出改进建议。
Acknowledgements
致谢
This document is based on a contribution of RSA Laboratories, the research center of RSA Security Inc.
本文档基于RSA安全公司研究中心RSA Laboratories的贡献。
RC2 and RC5 are trademarks of EMC Corporation.
RC2和RC5是EMC公司的商标。
Authors' Addresses
作者地址
Kathleen M. Moriarty (editor) Dell EMC 176 South Street Hopkinton, MA 01748 United States of America
Kathleen M.Moriarty(编辑)美国马萨诸塞州霍普金顿南街176号戴尔EMC 01748
Email: Kathleen.Moriarty@Dell.com
Email: Kathleen.Moriarty@Dell.com
Burt Kaliski Verisign 12061 Bluemont Way Reston, VA 20190 United States of America
美利坚合众国弗吉尼亚州雷斯顿市布鲁蒙特路12061号Burt Kaliski Verisign 12090
Email: bkaliski@verisign.com URI: http://verisignlabs.com
Email: bkaliski@verisign.com URI: http://verisignlabs.com
Andreas Rusch RSA 345 Queen Street Brisbane, QLD 4000 Australia
澳大利亚昆士兰州布里斯班皇后街345号Andreas Rusch RSA 4000
Email: andreas.rusch@rsa.com
Email: andreas.rusch@rsa.com