PKCS #5 v2.0: Password-Based Cryptography Standard

Slides:



Advertisements
Similar presentations
Chapter 3 Public Key Cryptography and Message authentication.
Advertisements

Lecture 5: Cryptographic Hashes
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Lecture 23 Symmetric Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Feb 19, 2002Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.
Encryption Schemes Second Pass Brice Toth 21 November 2001.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.
Dan Boneh Odds and ends Key Derivation Online Cryptography Course Dan Boneh.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
CMS Interoperability Matrix Jim Schaad Soaring Hawk Security.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
1 Chapter 11: Message Authentication and Hash Functions Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Message Authentication and Hash Functions Chapter 11.
RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.
On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.
XML Encryption, XML Signature, and Derived Keys: Suggestion For a Minor Addition Magnus Nyström RSA.
Feb 17, 2003Mårten Trolin1 Previous lecture Practical things about the course. Example of cryptosystem — substitution cipher. Symmetric vs. asymmetric.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
Shambhu Upadhyaya Security – AES-CCMP Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 13)
1 CIS 5371 Cryptography 4. Message Authentication Codes B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography.
Cryptographic Hash Functions and Protocol Analysis
Lecture 2: Introduction to Cryptography
Chapter 11 Message Authentication and Hash Functions.
Lecture 23 Symmetric Encryption
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.
PKCS #5: Password-Based Cryptography Standard
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
TLS PRF Considered Harmful Issues with implementing Hardware Security Module Support for TLS.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Cryptography Hyunsung Kim, PhD University of Malawi, Chancellor College Kyungil University February, 2016.
RSA Laboratories’ PKCS Series - a Tutorial
RSA Laboratories’ PKCS Series - a Tutorial
Cryptography Lecture 12.
Cryptography Lecture 12.
Topic 13: Message Authentication Code
Cryptography Lecture 11.
Secret-Key Encryption
Presentation transcript:

PKCS #5 v2.0: Password-Based Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 29 September 1999

Outline Background PKCS #5 v1.5 PKCS #5 v2.0 Generating salt Possible future work

Background Cryptography with a password ... encryption message authentication identification, key establishment … has some peculiar problems: passwords are not conventional keys nor are they very “random”

key = PBKDF (password, salt, count) General Model Password-based key derivation: key = PBKDF (password, salt, count) salt prevents dictionary attack count complicates search key is applied to conventional cryptosystem

PKCS #5 v1.5 Password-Based Encryption Standard published November 1993 Two encryption schemes: MD2 with DES-CBC MD5 with DES-CBC

PKCS #5 v1.5 Encryption Scheme Encryption operation 1. Generate salt S 2. Hash with password to derive key, IV: K || IV = Hashcount (P || S) 3. Pad message and encrypt: EM = M || pad C = DES-CBC (K, IV, EM) S, count, C sent to recipient Decryption is similar

Limitations of v1.5 Scheme Algorithm restrictions: only two hash functions only one underlying encryption scheme includes padding, assumes CBC mode Theoretical deficiencies: no formal model or security proof for KDF construction has “entropy bottleneck” Fixed maximum length for keys

Enhancements Before v2.0 RSA Data Security extensions: SHA-1 hash function RC2-CBC encryption PKCS #12 password-based schemes

PKCS Workshops ’97, ’98 Discussion of PKCS #5 improvements, proposed draft Conclusions: 1. New key derivation function to be specified 2. Modular encryption, message authentication schemes parameters for underlying scheme (e.g., IV) managed separately

PKCS #5 v2.0 Password-Based Cryptography Standard Several techniques: published March 1999 Several techniques: extended v1.5 and new KDF extended v1.5 and new modular encryption schemes new modular message authentication scheme New schemes are recommended for new applications

New Key Derivation Function PBKDF2 (P, S, c, dkLen) 1. Compute blocks T1,…,Tl by iterated construction: U1 = G (P, S || Int (i)) , U2 = G (P, U1) , …, Uc = G (P, Uc-1) Ti = U1 \xor U2 \xor  \xor Uc 2. Output first dkLen octets of T1 ||  || Tl G is underlying pseudorandom function

Motivation for PBKDF2 “Belt-and-suspenders” approach: Ui values are computed recursively to remove a degree of parallelism different than PKCS ’98 proposal, which computed them independently as Uj = G (P, S || Int (i) || Int (j)) XOR reduces concerns about the recursion degenerating into a small set of values (Potentially) provably secure under reasonable assumptions on pseudorandom function G Variable length through varying i

New Encryption Scheme Encryption operation 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying encryption scheme C = EncDK (M) parameters such as IV selected as part of underlying scheme Decryption is similar

Message Authentication Scheme MAC generation operation 1. Select salt S, iteration count c, key length dkLen 2. Apply KDF to derive key DK = KDF (P, S, c, dkLen) 3. Apply underlying message authentication scheme T = MACDK (M) MAC verification is similar

Addressing the Limitations Algorithm restrictions: arbitrary (iterated) pseudorandom function arbitrary underlying encryption scheme Theoretical deficiencies: formal model / (potential) security proof for KDF construction still has “entropy bottleneck” but can support wider hash function not a practical problem for passwords Large maximum length for keys

Supporting Techniques Pseudorandom functions: HMAC-SHA-1 where message is index Encryption schemes: DES, DES-EDE3, RC2, RC5 all in CBC mode with PKCS #5 v1.5 padding DES-EDE2, DESX, RC4 could potentially be added Message authentication schemes: HMAC-SHA-1

ASN.1 Syntax Key derivation functions Encryption schemes only PBKDF2 Encryption schemes PBES1 and PBES2 Message authentication scheme (and pseudorandom function) PBMAC1

PBKDF2 Generic OID: Parameters: id-pbkdf2 ::= pkcs-5.12 PBKDF2-params ::= SEQUENCE { salt CHOICE { specified OCTET STRING, otherSource AlgID {{PBKDF2-SaltSources}} }, iterationCount INTEGER (1..MAX), keyLength INTEGER (1..MAX) OPTIONAL, prf AlgID {{PBKDF2-PRFs}} DEFAULT algid-hmacWithSHA1 }

PBES1 Specific OIDs as in v1.5: Parameters: pbeWithMD2AndDES-CBC ::= pkcs-5.1 pbeWithMD5AndDES-CBC ::= pkcs-5.3 … pbeWithSHA1AndRC2-CBC ::= pkcs-5.11 Parameters: PBEParameter ::= SEQUENCE { salt OCTET STRING SIZE (8), iterationCount INTEGER }

PBES2 Generic OID: Parameters: id-pbes2 ::= pkcs-5.13 PBES2-params ::= SEQUENCE { kdf AlgID {{PBES2-KDFs}}, enc AlgID {{PBES2-Encs}} }

PBMAC1 Generic OID: Parameters: id-pbmac1 ::= pkcs-5.14 PBMAC1-params ::= SEQUENCE { kdf AlgID {{PBMAC1-KDFs}}, mac AlgID {{PBMAC1-MACs}} }

Generating Salt Primary purpose of salt is to increase difficulty of precomputation attacks Secondary purpose is to separate keys generated at different times A random salt assures the one who generated it that these goals are achieved, but not necessarily the one who receives it i.e., the party decrypting a ciphertext or verifying a MAC is not assured that separate keys were employed

Exploiting Ambiguity Suppose a password is employed for two algorithms with different key lengths, and the salt does not distinguish between them Then for a given salt, the key for one algorithm will be a prefix of the key for the other Suppose also that an opponent can solve for the shorter key by a chosen ciphertext attack Then the opponent can also solve for the longer key by guessing the rest of it: “divide-and-conquer” Similar concerns for other kinds of interaction

Salt Recommendations If interactions are not a concern (e.g., password is always employed with the same algorithm), then a random salt is sufficient at least 64 bits recommended If they are, then the salt should also contain some structure, e.g., an algorithm identifier and/or a sequence number that can be checked by the party receiving the key

Possible Future Work Structure for salt value basically, key derivation parameters for KDF “Pepper” variants where part of salt is secret several references in literature Public-key password-based techniques password-based entity authentication and key establishment password-based private-key downloading