1、简介
基于密码的加密,涵盖以下方面:
密钥导出函数加密方案消息认证方案ASN.1语法2、符号C ciphertext, an octet stringc iteration count, a positive integerDK derived key, an octet stringdkLen length in octets of derived key, a positive integerKDF 密钥导出函数 key derivation functionPRF 伪随机函数 pseudorandom functionPS 填充字符串 padding string, an octet stringM message, an octet stringP passWord, an octet stringS salt, an octet stringT message authentication code, an octet string4、Salt值和迭代计数4.1、Salt值The salt can be viewed as an index into a large set of keys derived from the password, and need not be kept secret.Salt值是一个索引,在一个大量的密码集合中,根据Salt值随机选择一个DK = KDF (P, S)DK是导出密钥,P是密码,S是Salt值当随机发生器或者伪随机发生器不可用时,Salt值可以用密钥导出函数S = KDF(P,M)来计算。(不推荐,因为只存在少量的salt值可用)4.2、迭代计数迭代计数传统上用于增加从密码产生密钥的成本,从而也增加了攻击的难度。建议至少进行1000次迭代。5、密钥导出函数KDF密钥导出函数从基本密钥和其他参数产生导出密钥。 在基于密码的密钥导出函数中,基本密钥是密码,其他参数是Salt值和迭代计数这里定义的基于密码的密钥导出函数的主要应用是在第6节中的加密方案和第7节中的消息认证方案。本节中指定了两个函数:PBKDF1和PBKDF2。这里定义的密钥导出函数的典型应用可能包括以下步骤:1.选择Salt值和迭代计数c。2.为派生密钥dkLen选择八位字节的长度。3.密钥导出函数需要 密码、Salt值、迭代计数和生成导出密钥的密钥长度。4.输出导出密钥。5.1、PBKDF1PBKDF1使用散列函数,MD2 [6],md5 [19]或SHA-1 [18],以导出密钥。 导出密钥的长度由散列函数输出的长度限定,其对于MD2和MD5是16个八位字节,对于SHA-1是20个八位字节。PBKDF1 (P, S, c, dkLen)Options: Hash underlying hash functionInput: P password, an octet string S salt, an eight-octet string c iteration count, a positive integer dkLen intended length in octets of derived key, a positive integer, at most 16 for MD2 or MD5 and 20 for SHA-1Output: DK derived key, a dkLen-octet stringSteps: 1. If dkLen > 16 for MD2 and MD5, or dkLen > 20 for SHA-1, output "derived key too long" and stop. 2. Apply the underlying hash function Hash for c iterations to the concatenation of the password P and the salt S, then extract the first dkLen octets to produce a derived key DK: T_1 = Hash (P || S) , T_2 = Hash (T_1) , ... T_c = Hash (T_{c-1}) , DK = Tc<0..dkLen-1> 3. Output the derived key DK.5.2、PBKDF2PBKDF2使用伪随机函数(参见附录B.1)来导出密钥。 导出密钥的长度基本上是无限的。PBKDF2 (P, S, c, dkLen)Options: PRF 基础伪随机函数(heLen表示伪随机函数输出的八位字节中的长度)Input: P password, an octet string S salt, an octet string c iteration count, a positive integer dkLen intended length in octets of the derived key, a positive integer, at most (2^32 - 1) * hLenOutput: DK derived key, a dkLen-octet stringSteps: 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and stop. 2. Let l be the number of hLen-octet blocks in the derived key, rounding up, and let r be the number of octets in the last block: l = CEIL (dkLen / hLen) , r = dkLen - (l - 1) * hLen . Here, CEIL (x) is the "ceiling" function, i.e. the smallest integer greater than, or equal to, x. 3. For each block of the derived key apply the function F defined below to the password P, the salt S, the iteration count c, and the block index to compute the block: T_1 = F (P, S, c, 1) , T_2 = F (P, S, c, 2) , ... T_l = F (P, S, c, l) , where the function F is defined as the exclusive-or sum of the first c iterates of the underlying pseudorandom function PRF applied to the password P and the concatenation of the salt S and the block index i: F (P, S, c, i) = U_1 /xor U_2 /xor ... /xor U_c where U_1 = PRF (P, S || INT (i)) , U_2 = PRF (P, U_1) , ... U_c = PRF (P, U_{c-1}) . Here, INT (i) is a four-octet encoding of the integer i, most significant octet first. 4. Concatenate the blocks and extract the first dkLen octets to produce a derived key DK: DK = T_1 || T_2 || ... || T_l<0..r-1> 5. Output the derived key DK.新闻热点
疑难解答
