研二
PKCS5 基于口令加密标准(Password-Based Cryptography Standard)
该加密标准描述了PBE(password-based encryption)的对称加密方法,事实上,PBE加密方法并不是一个新的加密方法, PBE加密方法只是对现有的加密方法的一种应用,具体用到的是DES,RC2,RC5在CBC模式下的加密过程。
PKCS5标准在PKCS系列中的应用应该主要是在PKCS12标准个人信息交换语法中描述的文件格式中的最后一项,即应用于mac Data,iteration,和salt中。作为hmac值(mac值)起到对个人信息鉴定的作用。以下是PKCS5中描述的ASN1文件。
-- PKCS #5 v2.0 ASN.1 Module
-- Revised March 25, 1999-- This module has been checked for conformance with the
-- ASN.1 standard by the OSS ASN.1 ToolsPKCS5v2-0 {iso(1) member-body(2) us(840) rsadsi(113549)pkcs(1) pkcs-5(5) modules(16) pkcs5v2-0(1)}DEFINITIONS ::= BEGIN-- Basic object identifiersrsadsi OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) 113549}
pkcs OBJECT IDENTIFIER ::= {rsadsi 1}
pkcs-5 OBJECT IDENTIFIER ::= {pkcs 5}-- Basic types and classesAlgorithmIdentifier { ALGORITHM-IDENTIFIER:InfoObjectSet } ::=
SEQUENCE {algorithm ALGORITHM-IDENTIFIER.&id({InfoObjectSet}),parameters ALGORITHM-IDENTIFIER.&Type({InfoObjectSet}{@algorithm}) OPTIONAL }ALGORITHM-IDENTIFIER ::= TYPE-IDENTIFIER-- PBKDF2PBKDF2Algorithms ALGORITHM-IDENTIFIER ::= { {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ...}id-PBKDF2 OBJECT IDENTIFIER ::= {pkcs-5 12}algid-hmacWithSHA1 AlgorithmIdentifier {
{PBKDF2-PRFs}} ::={algorithm id-hmacWithSHA1, parameters NULL : NULL}PBKDF2-params ::= SEQUENCE {salt CHOICE {specified OCTET STRING,otherSource AlgorithmIdentifier {
{PBKDF2-SaltSources}}},iterationCount INTEGER (1..MAX),keyLength INTEGER (1..MAX) OPTIONAL,prf AlgorithmIdentifier {
{PBKDF2-PRFs}} DEFAULTalgid-hmacWithSHA1}PBKDF2-SaltSources ALGORITHM-IDENTIFIER ::= { ... }PBKDF2-PRFs ALGORITHM-IDENTIFIER ::={ {NULL IDENTIFIED BY id-hmacWithSHA1}, ... }-- PBES1PBES1Algorithms ALGORITHM-IDENTIFIER ::= { {PBEParameter IDENTIFIED BY pbeWithMD2AndDES-CBC} |{PBEParameter IDENTIFIED BY pbeWithMD2AndRC2-CBC} |{PBEParameter IDENTIFIED BY pbeWithMD5AndDES-CBC} |{PBEParameter IDENTIFIED BY pbeWithMD5AndRC2-CBC} |{PBEParameter IDENTIFIED BY pbeWithSHA1AndDES-CBC} |{PBEParameter IDENTIFIED BY pbeWithSHA1AndRC2-CBC}, ...}pbeWithMD2AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 1}
pbeWithMD2AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 4}
pbeWithMD5AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 3}
pbeWithMD5AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 6}
pbeWithSHA1AndDES-CBC OBJECT IDENTIFIER ::= {pkcs-5 10}
pbeWithSHA1AndRC2-CBC OBJECT IDENTIFIER ::= {pkcs-5 11}PBEParameter ::= SEQUENCE {salt OCTET STRING (SIZE(8)),iterationCount INTEGER }-- PBES2PBES2Algorithms ALGORITHM-IDENTIFIER ::= { {PBES2-params IDENTIFIED BY id-PBES2}, ...}id-PBES2 OBJECT IDENTIFIER ::= {pkcs-5 13}PBES2-params ::= SEQUENCE {keyDerivationFunc AlgorithmIdentifier {
{PBES2-KDFs}},encryptionScheme AlgorithmIdentifier {
{PBES2-Encs}} }PBES2-KDFs ALGORITHM-IDENTIFIER ::={ {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }PBES2-Encs ALGORITHM-IDENTIFIER ::= { ... }-- PBMAC1PBMAC1Algorithms ALGORITHM-IDENTIFIER ::= { {PBMAC1-params IDENTIFIED BY id-PBMAC1}, ...}id-PBMAC1 OBJECT IDENTIFIER ::= {pkcs-5 14}PBMAC1-params ::= SEQUENCE {keyDerivationFunc AlgorithmIdentifier {
{PBMAC1-KDFs}},messageAuthScheme AlgorithmIdentifier {
{PBMAC1-MACs}} }PBMAC1-KDFs ALGORITHM-IDENTIFIER ::={ {PBKDF2-params IDENTIFIED BY id-PBKDF2}, ... }PBMAC1-MACs ALGORITHM-IDENTIFIER ::= { ... }-- Supporting techniquesdigestAlgorithm OBJECT IDENTIFIER ::= {rsadsi 2}
encryptionAlgorithm OBJECT IDENTIFIER ::= {rsadsi 3}SupportingAlgorithms ALGORITHM-IDENTIFIER ::={ {NULL IDENTIFIED BY id-hmacWithSHA1} |{OCTET STRING (SIZE(8)) IDENTIFIED BY desCBC} |{OCTET STRING (SIZE(8)) IDENTIFIED BY des-EDE3-CBC} |{RC2-CBC-Parameter IDENTIFIED BY rc2CBC} |{RC5-CBC-Parameters IDENTIFIED BY rc5-CBC-PAD}, ... }id-hmacWithSHA1 OBJECT IDENTIFIER ::= {digestAlgorithm 7}desCBC OBJECT IDENTIFIER ::={iso(1) identified-organization(3) oiw(14) secsig(3)algorithms(2) 7} -- from OIWdes-EDE3-CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 7}rc2CBC OBJECT IDENTIFIER ::= {encryptionAlgorithm 2}RC2-CBC-Parameter ::= SEQUENCE {rc2ParameterVersion INTEGER OPTIONAL,iv OCTET STRING (SIZE(8)) }rc5-CBC-PAD OBJECT IDENTIFIER ::= {encryptionAlgorithm 9} RC5-CBC-Parameters ::= SEQUENCE {version INTEGER {v1-0(16)} (v1-0),rounds INTEGER (8..127),blockSizeInBits INTEGER (64 | 128),iv OCTET STRING OPTIONAL }END