Uploaded bysnakesv
DOC, PDF575 views

Pkcs 5

This document describes a password-based encryption standard (PKCS #5) that defines two key derivation algorithms combining message digest algorithms (MD2 and MD5) with DES encryption. The standard defines processes for encrypting and decrypting messages using a password, salt value, and iteration count to derive the encryption key. The encryption process formats the message and padding into a block, derives the key from the password/salt/count, and encrypts the block with DES-CBC. The decryption process reverses these steps to recover the original message.

Embed presentation

Download to read offline
Copyright © 1991–1993 RSA Laboratories, a division of RSA Data Security, Inc. License to copy this document is granted provided that it is identified as "RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS)" in all material mentioning or referencing this document. 003-903020-150-000-000 PKCS #5: Password-Based Encryption Standard An RSA Laboratories Technical Note Version 1.5 Revised November 1, 1993* 1. Scope This standard describes a method for encrypting an octet string with a secret key derived from a password. The result of the method is an octet string. Although the standard can be used to encrypt arbitrary octet strings, its intended primary application to public-key cryptography is for encrypting private keys when transferring them from one computer system to another, as described in PKCS #8. The standard defines two key-encryption algorithms: "MD2 with DES-CBC" and "MD5 with DES-CBC." The algorithms employ DES secret-key encryption in cipher-block chaining mode, where the secret key is derived from a password with the MD2 message- digest algorithm, or MD5 message-digest algorithm. 2. References FIPS PUB 46–1 National Bureau of Standards. FIPS PUB 46–1: Data Encryption Standard. January 1988. FIPS PUB 81 National Bureau of Standards. FIPS PUB 81: DES Modes of Operation. December 1980. PKCS #8 RSA Laboratories. PKCS #8: Private-Key Information Syntax Standard. Version 1.2, November 1993. RFC 1319 B. Kaliski. RFC 1319: The MD2 Message-Digest Algorithm. April 1992. *Supersedes June 3, 1991 version, which was also published as NIST/OSI Implementors' Workshop document SEC- SIG-91-20. PKCS documents are available by electronic mail to <pkcs@rsa.com>. Copyright © 1991–1993 RSA Laboratories, a division of RSA Data Security, Inc. License to copy this document is granted provided that it is identified as "RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS)" in all material mentioning or referencing this document. 003-903020-150-000-000
Page 2 PKCS #5: Password-Based Encryption Standard§ RFC 1321 R. Rivest. RFC 1321: The MD5 Message-Digest Algorithm. April 1992. X.208 CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988. X.509 CCITT. Recommendation X.509: The Directory—Authentication Framework. 1988. [MT79] Robert Morris and Ken Thompson. Password security: A case history. Communications of the ACM, 22(11):594–597, November 1979. 3. Definitions For the purposes of this standard, the following definitions apply. AlgorithmIdentifier: A type that identifies an algorithm (by object identifier) and any associated parameters. This type is defined in X.509. ASN.1: Abstract Syntax Notation One, as defined in X.208. CBC mode: The cipher-block chaining mode of DES, as defined in FIPS PUB 81. DES: Data Encryption Standard, as defined in FIPS PUB 46-1. MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as defined in RFC 1319. MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as defined in RFC 1321. 4. Symbols and abbreviations Upper-case italic symbols (e.g., C) denote octet strings; lower-case italic symbols (e.g., c) denote integers. ab hexadecimal octet value P password C ciphertext PS padding string EB encryption block S salt value IV initializing vector c iteration count
5. General overview§ Page 3 K DES key mod n modulo n M message X || Y concatenation of X, Y ||X|| length in octets of X 5. General overview The next three sections specify the encryption process, the decryption process, and object identifiers. Each entity shall privately select an octet string P as its "password." The password is an arbitrary octet string, and it need not be a printable "word" in the usual sense. The octet string may contain zero or more octets. Each entity shall also select an eight-octet string S as its salt value and a positive integer c as its iteration count. The salt value S and the iteration count c are parameters of the algorithm identifier for the password-based encryption algorithm. An entity's password, salt value, and iteration count may be different for each message the entity encrypts. Two password-based encryption algorithms are defined here. The first algorithm (informally, "MD2 with DES-CBC") combines the MD2 message-digest algorithm with DES in cipher-block chaining mode, and the second (informally, "MD5 with DES-CBC") combines the MD5 message-digest algorithm with DES in cipher-block chaining mode. The "selected" message-digest algorithm shall either be MD2 or MD5, depending on the password-based encryption algorithm. The encryption and decryption processes shall both be performed with the password, salt value, and iteration count as a key for the password-based encryption algorithm. Both processes transform an octet string to another octet string. The processes are inverses of one another if they use the same key. Notes. 1. Some security conditions on the choice of password may well be taken into account in order to deter standard attacks such as dictionary attacks. These security conditions fall outside the scope of this standard. 2. How passwords are entered by an entity (a user) is outside the scope of
Page 4 PKCS #5: Password-Based Encryption Standard§ this standard. However, it is recommended in the interest of interoperability that when messages encrypted according to this standard are to be transferred from one computer system to another, the password should consist of printable ASCII characters (values 32 to 126 decimal inclusive). This recommendation may require that password-entry software support optional conversion from a local character set to ASCII. 3. The iteration count provides a method of varying the time to derive a DES key from the password, thereby making dictionary attacks more expensive. 4. The selection of a salt value independent from the password limits the efficiency of dictionary attacks directed collectively against many messages encrypted according to this standard, e.g., against a database of encrypted private keys. This concept is explained in Morris and Thompson's paper on passwords [MT79]. 5. A convenient way to select the salt value S is to set it to the first eight octets of the message digest of the octet string P || M. This method works best when the message M is somewhat random (e.g., a private key), for then the salt value S reveals no significant information about M or P. This method is not recommended, however, if the message M is known to belong to a small message space (e.g., "Yes" or "No"). 6. The iteration count and the method of selecting a salt value may be standardized in particular applications. 6. Encryption process This section describes the password-based encryption process. The encryption process consists of three steps: DES key generation, encryption-block formatting, and DES encryption. The input to the encryption process shall be an octet string M, the message; an octet string P, the password; an octet string S, the salt value; and an integer c, the iteration count. The output from the encryption process shall be an octet string C, the ciphertext. Note. The encryption process does not provide an explicit integrity check to facilitate error detection should the encrypted data be corrupted in transmission. However, the structure of the encryption block guarantees that the probability that corruption is undetected is less than 2-8. 6.1 DES key generation A DES key K and an initializing vector IV shall be generated from the password P, the salt value S, and the iteration count c. The key generation process shall involve the following steps: 1. The octet string P || S shall be digested with c iterations of the selected message-digest algorithm. "One iteration" of the message-digest algorithm is just the ordinary message digest; "two iterations" is the message digest
5. General overview§ Page 5 of the message digest; and so on. 2. The least significant bit of each of the first eight octets of the result of step 1 shall be changed if necessary to give the octet odd parity, as required by DES. The resulting eight octets shall become the DES key K. 3. The last eight octets of the result of step 1 shall become the initializing vector IV. 6.2 Encryption-block formatting The message M and a padding string PS shall be formatted into an octet string EB, the encryption block. EB = M || PS . (1) The padding string PS shall consist of 8 - (||M|| mod 8) octets all having value 8 - (||M|| mod 8). (This makes the length of the encryption block EB a multiple of eight octets.) In other words, the encryption block EB satisfies one of the following statements: EB = M || 01 — if ||M|| mod 8 = 7 ; EB = M || 02 02 — if ||M|| mod 8 = 6 ; × × × EB = M || 08 08 08 08 08 08 08 08 — if ||M|| mod 8 = 0 . Note. The encryption block can be parsed unambiguously since every encryption block ends with a padding string and no padding string is a suffix of another. 6.3 DES encryption The encryption block EB shall be encrypted under DES in cipher-block chaining mode with key K and initializing vector IV. The result of encryption shall be an octet string C, the ciphertext. Note. The length of the ciphertext C is a multiple of eight octets. 7. Decryption process This section describes the password-based decryption process. The decryption process consists of three steps: DES key generation, DES decryption, and encryption-block parsing. The input to the decryption process shall be an octet string C, the ciphertext; an octet string P, the password; an octet string S, the salt value; and an integer c, the iteration count. The output from the decryption process shall an octet string M, the message. For brevity, the decryption process is described in terms of the encryption process.
Page 6 PKCS #5: Password-Based Encryption Standard§ 7.1 DES key generation A DES key K and an initializing vector IV shall be generated from the password P, the salt value S, and the iteration count c as described for the encryption process. 7.2 DES decryption The ciphertext C shall be decrypted under DES in cipher-block chaining mode with key K and initializing vector IV. The result of decryption shall be an octet string EB, the encryption block. It is an error if the length of the ciphertext C is not a multiple of eight octets. 7.3 Encryption-block parsing The encryption block EB shall be parsed into an octet string M, the message, and an octet string PS, the padding string, according to Equation (1). It is an error if the encryption block cannot be parsed according to Equation (1), i.e., if the encryption block does not end with k octets all having value k for some k between 1 and 8. 8. Object identifiers This standard defines three object identifiers: pkcs-5, pbeWithMD2AndDES-CBC, and pbeWithMD5AndDES-CBC. The object identifier pkcs-5 identifies this standard. pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) 5 } The object identifiers pbeWithMD2AndDES-CBC and pbeWithMD5AndDES-CBC identify, respectively, the "MD2 with DES-CBC" and "MD5 with DES-CBC" password- based encryption and decryption processes defined in Sections 6 and 7. pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= { pkcs-5 1 } pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= { pkcs-5 3 } These object identifiers are intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field of that type, which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.1 type PBEParameter for these algorithms. PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE(8), iterationCount INTEGER }
5. General overview§ Page 7 The fields of type PBEParameter have the following meanings: • salt is the salt value S. • iterationCount is the iteration count c.
Revision history§ Page 8 Revision history Versions 1.0–1.3 Versions 1.0–1.3 were distributed to participants in RSA Data Security, Inc.'s Public-Key Cryptography Standards meetings in February and March 1991. Version 1.4 Version 1.4 is part of the June 3, 1991 initial public release of PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-20. Version 1.5 Version 1.5 incorporates several editorial changes, including updates to the references and the addition of a revision history. Author's address RSA Laboratories (415) 595-7703 100 Marine Parkway (415) 595-4126 (fax) Redwood City, CA 94065 USA pkcs-editor@rsa.com

More Related Content

PPT
6.hash mac
byVirendrakumar Dhotre
 
PPT
Ch11
byJoe Christensen
 
PPTX
Hash function
byHarry Potter
 
PPT
Pgp smime
byTania Agni
 
PPT
Encryption
byNaiyan Noor
 
PPTX
Unit 3
bytamil arasan
 
DOCX
Unit 3(1)
byVinod Kumar Gorrepati
 
DOC
Unit 3(1)
byVinod Kumar Gorrepati
 
6.hash mac
byVirendrakumar Dhotre
 
Ch11
byJoe Christensen
 
Hash function
byHarry Potter
 
Pgp smime
byTania Agni
 
Encryption
byNaiyan Noor
 
Unit 3
bytamil arasan
 
Unit 3(1)
byVinod Kumar Gorrepati
 
Unit 3(1)
byVinod Kumar Gorrepati
 

What's hot

PPT
Stallings Kurose and Ross
byInformation Security Awareness Group
 
PPTX
Unit 2
bytamil arasan
 
PPT
01204427-Hash_Crypto (1).ppt
byGnanalakshmiV
 
PDF
White Paper on Cryptography
byDurgesh Malviya
 
PPT
Cryptography and Network Security William Stallings Lawrie Brown
byInformation Security Awareness Group
 
PDF
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
byeditor1knowledgecuddle
 
PDF
CNS - Unit v
byArthyR3
 
PDF
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
PDF
ENHANCED SECURE ALGORITHM FOR MESSAGE COMMUNICATION
byIJNSA Journal
 
PPTX
Message Authentication using Message Digests and the MD5 Algorithm
byAjay Karri
 
PPTX
Information and data security cryptographic hash functions
byMazin Alwaaly
 
PPT
Hash crypto
byHarry Potter
 
PPT
Conventional Encryption NS2
bykoolkampus
 
PDF
Hash
byTazo Al
 
PPTX
Encryption techniques
byShrikantSharma86
 
PPT
Message Authentication
byRam Dutt Shukla
 
Stallings Kurose and Ross
byInformation Security Awareness Group
 
Unit 2
bytamil arasan
 
01204427-Hash_Crypto (1).ppt
byGnanalakshmiV
 
White Paper on Cryptography
byDurgesh Malviya
 
Cryptography and Network Security William Stallings Lawrie Brown
byInformation Security Awareness Group
 
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
byeditor1knowledgecuddle
 
CNS - Unit v
byArthyR3
 
18CS2005 Cryptography and Network Security
byKathirvel Ayyaswamy
 
ENHANCED SECURE ALGORITHM FOR MESSAGE COMMUNICATION
byIJNSA Journal
 
Message Authentication using Message Digests and the MD5 Algorithm
byAjay Karri
 
Information and data security cryptographic hash functions
byMazin Alwaaly
 
Hash crypto
byHarry Potter
 
Conventional Encryption NS2
bykoolkampus
 
Hash
byTazo Al
 
Encryption techniques
byShrikantSharma86
 
Message Authentication
byRam Dutt Shukla
 

Similar to Pkcs 5

PPTX
PKCS5
byByeong Yeong Jeong
 
PDF
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
byams1ams11
 
PPTX
Ch02 NetSec5e Network Security Essential Chapter 2.pptx
byridozulfahmi1
 
PDF
Mifare Desfire Technology
byZahiruddin Babar Malik
 
PPT
02 Information System Security
byShu Shin
 
PPT
Encryption
byIGZ Software house
 
PPT
Cryptography.ppt
byPriyanshuGupta896141
 
PPTX
CH02-CompSec4e.pptx
byams1ams11
 
DOCX
AssignmentThe purpose of this assignment is to get you familiar .docx
byssuser562afc1
 
PPTX
Confidential data storage and deletion
byvitam,berhampur
 
PPTX
Information Security Information Security.pptx
byNiharikaGuptas
 
DOCX
Data encryption standard
byPrasad Prabhu
 
PPTX
Overview on Cryptography and Network Security
byDr. Rupa Ch
 
PPTX
Data Encryption standard in cryptography
byNithyasriA2
 
PDF
International Journal of Computational Engineering Research(IJCER)
byijceronline
 
PPTX
encryption and decryption ,and its types
byjosereena1
 
PPTX
NS UNIT 1 Advanced Encryption Standard& RSA
byAntonySuresh13
 
PPTX
Cryptography notes for undergraduate kud
bymd4228787
 
DOCX
Des1
bysvsugan
 
PPTX
Cryptography
byShivanand Arur
 
PKCS5
byByeong Yeong Jeong
 
CH2 Stallings,_William_Computer_Security_Principles_and_Practice_Pearson [54-...
byams1ams11
 
Ch02 NetSec5e Network Security Essential Chapter 2.pptx
byridozulfahmi1
 
Mifare Desfire Technology
byZahiruddin Babar Malik
 
02 Information System Security
byShu Shin
 
Encryption
byIGZ Software house
 
Cryptography.ppt
byPriyanshuGupta896141
 
CH02-CompSec4e.pptx
byams1ams11
 
AssignmentThe purpose of this assignment is to get you familiar .docx
byssuser562afc1
 
Confidential data storage and deletion
byvitam,berhampur
 
Information Security Information Security.pptx
byNiharikaGuptas
 
Data encryption standard
byPrasad Prabhu
 
Overview on Cryptography and Network Security
byDr. Rupa Ch
 
Data Encryption standard in cryptography
byNithyasriA2
 
International Journal of Computational Engineering Research(IJCER)
byijceronline
 
encryption and decryption ,and its types
byjosereena1
 
NS UNIT 1 Advanced Encryption Standard& RSA
byAntonySuresh13
 
Cryptography notes for undergraduate kud
bymd4228787
 
Des1
bysvsugan
 
Cryptography
byShivanand Arur
 

Recently uploaded

PPT
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
PPTX
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
PPTX
Theory to Practice of Unsaturated Soil Mechanics-1.pptx
byMahmoodKhalid11
 
PPT
Momentum and collisions in physics or engineering
byazizrahmanhakimi
 
PPT
Oracle Advanced subquery and types of subquery
bytejaswinikulkarni549
 
PDF
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
PPTX
1.Module 4-Clamping of jigs and fixtures for manufacturing.pptx
bycondieki
 
PDF
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
PPTX
GET 211- Computing and Software Engineering (1).pptx
byfestusdaniel142
 
PPTX
Value engineering and cost analysis with case study
byhp9879098082
 
PDF
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
PPTX
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
PPT
Cloud computing-1.ppt presentation preview
byMohanaPriya780617
 
PPT
Integer , Goal and Non linear Programming Model
byOcheriCyril2
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PDF
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 
PPTX
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
PDF
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
PDF
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
PPTX
Designing Work for Humans, Not Machines: Human-Centered Maintenance Excellence
byMaintWiz Technologies Private Limited
 
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
Theory to Practice of Unsaturated Soil Mechanics-1.pptx
byMahmoodKhalid11
 
Momentum and collisions in physics or engineering
byazizrahmanhakimi
 
Oracle Advanced subquery and types of subquery
bytejaswinikulkarni549
 
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
1.Module 4-Clamping of jigs and fixtures for manufacturing.pptx
bycondieki
 
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
GET 211- Computing and Software Engineering (1).pptx
byfestusdaniel142
 
Value engineering and cost analysis with case study
byhp9879098082
 
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
Cloud computing-1.ppt presentation preview
byMohanaPriya780617
 
Integer , Goal and Non linear Programming Model
byOcheriCyril2
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 
Presentation-WPS Office.pptx afgouvhyhgfccf
byEndaleTimerga
 
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
Designing Work for Humans, Not Machines: Human-Centered Maintenance Excellence
byMaintWiz Technologies Private Limited
 

Pkcs 5

  • 1.
    Copyright © 1991–1993RSA Laboratories, a division of RSA Data Security, Inc. License to copy this document is granted provided that it is identified as "RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS)" in all material mentioning or referencing this document. 003-903020-150-000-000 PKCS #5: Password-Based Encryption Standard An RSA Laboratories Technical Note Version 1.5 Revised November 1, 1993* 1. Scope This standard describes a method for encrypting an octet string with a secret key derived from a password. The result of the method is an octet string. Although the standard can be used to encrypt arbitrary octet strings, its intended primary application to public-key cryptography is for encrypting private keys when transferring them from one computer system to another, as described in PKCS #8. The standard defines two key-encryption algorithms: "MD2 with DES-CBC" and "MD5 with DES-CBC." The algorithms employ DES secret-key encryption in cipher-block chaining mode, where the secret key is derived from a password with the MD2 message- digest algorithm, or MD5 message-digest algorithm. 2. References FIPS PUB 46–1 National Bureau of Standards. FIPS PUB 46–1: Data Encryption Standard. January 1988. FIPS PUB 81 National Bureau of Standards. FIPS PUB 81: DES Modes of Operation. December 1980. PKCS #8 RSA Laboratories. PKCS #8: Private-Key Information Syntax Standard. Version 1.2, November 1993. RFC 1319 B. Kaliski. RFC 1319: The MD2 Message-Digest Algorithm. April 1992. *Supersedes June 3, 1991 version, which was also published as NIST/OSI Implementors' Workshop document SEC- SIG-91-20. PKCS documents are available by electronic mail to <pkcs@rsa.com>. Copyright © 1991–1993 RSA Laboratories, a division of RSA Data Security, Inc. License to copy this document is granted provided that it is identified as "RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS)" in all material mentioning or referencing this document. 003-903020-150-000-000
  • 2.
    Page 2 PKCS#5: Password-Based Encryption Standard§ RFC 1321 R. Rivest. RFC 1321: The MD5 Message-Digest Algorithm. April 1992. X.208 CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988. X.509 CCITT. Recommendation X.509: The Directory—Authentication Framework. 1988. [MT79] Robert Morris and Ken Thompson. Password security: A case history. Communications of the ACM, 22(11):594–597, November 1979. 3. Definitions For the purposes of this standard, the following definitions apply. AlgorithmIdentifier: A type that identifies an algorithm (by object identifier) and any associated parameters. This type is defined in X.509. ASN.1: Abstract Syntax Notation One, as defined in X.208. CBC mode: The cipher-block chaining mode of DES, as defined in FIPS PUB 81. DES: Data Encryption Standard, as defined in FIPS PUB 46-1. MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as defined in RFC 1319. MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as defined in RFC 1321. 4. Symbols and abbreviations Upper-case italic symbols (e.g., C) denote octet strings; lower-case italic symbols (e.g., c) denote integers. ab hexadecimal octet value P password C ciphertext PS padding string EB encryption block S salt value IV initializing vector c iteration count
  • 3.
    5. General overview§Page 3 K DES key mod n modulo n M message X || Y concatenation of X, Y ||X|| length in octets of X 5. General overview The next three sections specify the encryption process, the decryption process, and object identifiers. Each entity shall privately select an octet string P as its "password." The password is an arbitrary octet string, and it need not be a printable "word" in the usual sense. The octet string may contain zero or more octets. Each entity shall also select an eight-octet string S as its salt value and a positive integer c as its iteration count. The salt value S and the iteration count c are parameters of the algorithm identifier for the password-based encryption algorithm. An entity's password, salt value, and iteration count may be different for each message the entity encrypts. Two password-based encryption algorithms are defined here. The first algorithm (informally, "MD2 with DES-CBC") combines the MD2 message-digest algorithm with DES in cipher-block chaining mode, and the second (informally, "MD5 with DES-CBC") combines the MD5 message-digest algorithm with DES in cipher-block chaining mode. The "selected" message-digest algorithm shall either be MD2 or MD5, depending on the password-based encryption algorithm. The encryption and decryption processes shall both be performed with the password, salt value, and iteration count as a key for the password-based encryption algorithm. Both processes transform an octet string to another octet string. The processes are inverses of one another if they use the same key. Notes. 1. Some security conditions on the choice of password may well be taken into account in order to deter standard attacks such as dictionary attacks. These security conditions fall outside the scope of this standard. 2. How passwords are entered by an entity (a user) is outside the scope of
  • 4.
    Page 4 PKCS#5: Password-Based Encryption Standard§ this standard. However, it is recommended in the interest of interoperability that when messages encrypted according to this standard are to be transferred from one computer system to another, the password should consist of printable ASCII characters (values 32 to 126 decimal inclusive). This recommendation may require that password-entry software support optional conversion from a local character set to ASCII. 3. The iteration count provides a method of varying the time to derive a DES key from the password, thereby making dictionary attacks more expensive. 4. The selection of a salt value independent from the password limits the efficiency of dictionary attacks directed collectively against many messages encrypted according to this standard, e.g., against a database of encrypted private keys. This concept is explained in Morris and Thompson's paper on passwords [MT79]. 5. A convenient way to select the salt value S is to set it to the first eight octets of the message digest of the octet string P || M. This method works best when the message M is somewhat random (e.g., a private key), for then the salt value S reveals no significant information about M or P. This method is not recommended, however, if the message M is known to belong to a small message space (e.g., "Yes" or "No"). 6. The iteration count and the method of selecting a salt value may be standardized in particular applications. 6. Encryption process This section describes the password-based encryption process. The encryption process consists of three steps: DES key generation, encryption-block formatting, and DES encryption. The input to the encryption process shall be an octet string M, the message; an octet string P, the password; an octet string S, the salt value; and an integer c, the iteration count. The output from the encryption process shall be an octet string C, the ciphertext. Note. The encryption process does not provide an explicit integrity check to facilitate error detection should the encrypted data be corrupted in transmission. However, the structure of the encryption block guarantees that the probability that corruption is undetected is less than 2-8. 6.1 DES key generation A DES key K and an initializing vector IV shall be generated from the password P, the salt value S, and the iteration count c. The key generation process shall involve the following steps: 1. The octet string P || S shall be digested with c iterations of the selected message-digest algorithm. "One iteration" of the message-digest algorithm is just the ordinary message digest; "two iterations" is the message digest
  • 5.
    5. General overview§Page 5 of the message digest; and so on. 2. The least significant bit of each of the first eight octets of the result of step 1 shall be changed if necessary to give the octet odd parity, as required by DES. The resulting eight octets shall become the DES key K. 3. The last eight octets of the result of step 1 shall become the initializing vector IV. 6.2 Encryption-block formatting The message M and a padding string PS shall be formatted into an octet string EB, the encryption block. EB = M || PS . (1) The padding string PS shall consist of 8 - (||M|| mod 8) octets all having value 8 - (||M|| mod 8). (This makes the length of the encryption block EB a multiple of eight octets.) In other words, the encryption block EB satisfies one of the following statements: EB = M || 01 — if ||M|| mod 8 = 7 ; EB = M || 02 02 — if ||M|| mod 8 = 6 ; × × × EB = M || 08 08 08 08 08 08 08 08 — if ||M|| mod 8 = 0 . Note. The encryption block can be parsed unambiguously since every encryption block ends with a padding string and no padding string is a suffix of another. 6.3 DES encryption The encryption block EB shall be encrypted under DES in cipher-block chaining mode with key K and initializing vector IV. The result of encryption shall be an octet string C, the ciphertext. Note. The length of the ciphertext C is a multiple of eight octets. 7. Decryption process This section describes the password-based decryption process. The decryption process consists of three steps: DES key generation, DES decryption, and encryption-block parsing. The input to the decryption process shall be an octet string C, the ciphertext; an octet string P, the password; an octet string S, the salt value; and an integer c, the iteration count. The output from the decryption process shall an octet string M, the message. For brevity, the decryption process is described in terms of the encryption process.
  • 6.
    Page 6 PKCS#5: Password-Based Encryption Standard§ 7.1 DES key generation A DES key K and an initializing vector IV shall be generated from the password P, the salt value S, and the iteration count c as described for the encryption process. 7.2 DES decryption The ciphertext C shall be decrypted under DES in cipher-block chaining mode with key K and initializing vector IV. The result of decryption shall be an octet string EB, the encryption block. It is an error if the length of the ciphertext C is not a multiple of eight octets. 7.3 Encryption-block parsing The encryption block EB shall be parsed into an octet string M, the message, and an octet string PS, the padding string, according to Equation (1). It is an error if the encryption block cannot be parsed according to Equation (1), i.e., if the encryption block does not end with k octets all having value k for some k between 1 and 8. 8. Object identifiers This standard defines three object identifiers: pkcs-5, pbeWithMD2AndDES-CBC, and pbeWithMD5AndDES-CBC. The object identifier pkcs-5 identifies this standard. pkcs-5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) 5 } The object identifiers pbeWithMD2AndDES-CBC and pbeWithMD5AndDES-CBC identify, respectively, the "MD2 with DES-CBC" and "MD5 with DES-CBC" password- based encryption and decryption processes defined in Sections 6 and 7. pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= { pkcs-5 1 } pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= { pkcs-5 3 } These object identifiers are intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field of that type, which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.1 type PBEParameter for these algorithms. PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE(8), iterationCount INTEGER }
  • 7.
    5. General overview§Page 7 The fields of type PBEParameter have the following meanings: • salt is the salt value S. • iterationCount is the iteration count c.
  • 8.
    Revision history§ Page8 Revision history Versions 1.0–1.3 Versions 1.0–1.3 were distributed to participants in RSA Data Security, Inc.'s Public-Key Cryptography Standards meetings in February and March 1991. Version 1.4 Version 1.4 is part of the June 3, 1991 initial public release of PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-20. Version 1.5 Version 1.5 incorporates several editorial changes, including updates to the references and the addition of a revision history. Author's address RSA Laboratories (415) 595-7703 100 Marine Parkway (415) 595-4126 (fax) Redwood City, CA 94065 USA pkcs-editor@rsa.com