Presentation is loading. Please wait.

Presentation is loading. Please wait.

RSA Laboratories’ PKCS Series - a Tutorial

Similar presentations


Presentation on theme: "RSA Laboratories’ PKCS Series - a Tutorial"— Presentation transcript:

1 RSA Laboratories’ PKCS Series - a Tutorial
Magnus Nyström, October, 1999

2 Password-Based Cryptography Standard
Recommendations for the implementation of password-based cryptography, covering: key establishment encryption schemes message-authentication schemes ASN.1 syntax identifying the techniques Generally oriented towards protection of private keys No guidelines for selection of passwords

3 Background Cryptography with a password ...
identification, key establishment encryption message authentication … has some peculiar problems: passwords are not conventional keys nor are they very “random”

4 General Model Password-based key derivation:
key = PBKDF (password, salt, iterations) A salt serves to produce many keys from a given password (thwarting dictionary attacks) But it does not protect against an attacker able to choose the salt Iterations increase the cost for an attacker having to try many passwords

5 Key Derivation Functions
PBKDF1 - Password-based key derivation function #1 The “original” PBKDF Can’t generate keys longer than 20 bytes DK || IV = Hashiterations(Password||Salt) Limitations: only two hash functions assumes cipher in CBC mode and 8-byte salt no security proof entropy bottleneck fixed maximum length for keys

6 Key Derivation Functions, II
PBKDF2 New in version 2.0 of PKCS #5 “Belts-and-suspenders”-approach (protect both against parallel attacks and the recursion present in PBKDF1 DK = T1 || T2 || … || Tn Ti = f(Password, Salt, Iterations, i) f(Password,Salt, Iterations, i) = U1 XOR U2 XOR Uiterations U1 = PRF(Password, Salt || i) Ui = PRF(Password, Ui-1) PRF is most likely hMAC Restricts search space for an unknown key to 160 bits, however

7 Motivations for PBKDF2 Provably secure under reasonable assumptions on the pseudorandom function PRF Variable output length

8 Encryption Schemes PBES1 PBES2
Basically PBKDF1 in combination with DES or RC2-CBC New applications should favor PBES2 PBES2 Combination of PBKDF2 with some underlying encryption scheme

9 Message Authentication Schemes
PBMAC1 PBKDF2 together with some underlying MAC scheme

10 More information PKCS #5 v2.0 is available from


Download ppt "RSA Laboratories’ PKCS Series - a Tutorial"

Similar presentations


Ads by Google