Cryptographic Token Interface Standard

PKCS#11

---

PKCS #12 password-based encryption/authentication mechanisms

Sections

SHA-1-PBE for 128-bit RC4

SHA-1-PBE for 40-bit RC4

SHA-1-PBE for 3-key triple-DES-CBC

SHA-1-PBE for 2-key triple-DES-CBC

SHA-1-PBE for 128-bit RC2-CBC

SHA-1-PBE for 40-bit RC2-CBC

SHA-1-PBA for SHA-1-HMAC

---

Detailed Description

The mechanisms in this section are for generating keys and IVs for performing password-based encryption or authentication. The method used to generate keys and IVs is based on a method that was specified in the original draft of PKCS #12.

We specify here a general method for producing various types of pseudo-random bits from a password, p ; a string of salt bits, s ; and an iteration count, c. The "type" of pseudo-random bits to be produced is identified by an identification byte, ID, the meaning of which will be discussed later.

Let H be a hash function built around a compression function f: Z ₂^u X Z ₂^v -> Z ₂^u (that is, H has a chaining variable and output of length u bits, and the message input to the compression function of H is v bits). For MD2 and MD5, u =128 and v =512; for SHA-1, u =160 and v =512.

We assume here that u and v are both multiples of 8, as are the lengths in bits of the password and salt strings and the number n of pseudo-random bits required. In addition, u and v are of course nonzero.

1. Construct a string, D (the "diversifier"), by concatenating v /8 copies of ID.
   
   
2. Concatenate copies of the salt together to create a string S of length v .UPPER(s/v ) bits (the final copy of the salt may be truncated to create S). Note that if the salt is the empty string, then so is S.
   
   
3. Concatenate copies of the password together to create a string P of length v .UPPER(p/v ) bits (the final copy of the password may be truncated to create P). Note that if the password is the empty string, then so is P.
   
   
4. Set I =S ||P to be the concatenation of S and P.
   
   
5. Set j =UPPER(n /u ).
   
   
6. For i =1, 2, ..., j, do the following:
   
   
7. Set A_i =H^c (D ||I), the c ^th hash of D ||I. That is, compute the hash of D ||I ; compute the hash of that hash; etc.; continue in this fashion until a total of c hashes have been computed, each on the result of the previous hash.
   
   
8. Concatenate copies of A_i to create a string B of length v bits (the final copy of A_i may be truncated to create B).
   
   
9. Treating I as a concatenation I ₀, I ₁, ..., I_k -1 of v -bit blocks, where k =UPPER(s/v )+UPPER(p/v ), modify I by setting I_j =(I_j +B +1) mod 2^v for each j. To perform this addition, treat each v -bit block as a binary number represented most-significant bit first.
   
   
10. Concatenate A ₁, A ₂, ..., A_j together to form a pseudo-random bit string, A.
    
    
11. Use the first n bits of A as the output of this entire process.
    
    

When the password-based encryption mechanisms presented in this section are used to generate a key and IV (if needed) from a password, salt, and an iteration count, the above algorithm is used. To generate a key, the identifier byte ID is set to the value 1; to generate an IV, the identifier byte ID is set to the value 2.

When the password based authentication mechanism presented in this section is used to generate a key from a password, salt, and an iteration count, the above algorithm is used. The identifier byte ID is set to the value 3.

---

RSA Security Inc. Public-Key Cryptography Standards - PKCS#11 - v210