GM/T 0091-2020 English PDF (GMT0091-2020)
GM/T 0091-2020 English PDF (GMT0091-2020)
GM/T 0091-2020: Password-based key derivation specification
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
CCS L 80
Password-based key derivation specification
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 5
5 OID definition ... 6
6 Password-based key derivation function ... 6
7 Password-based key encryption scheme ... 8
7.1 Encryption operation ... 8
7.2 Decryption operation ... 9
8 Password-based message authentication code ... 9
8.1 MAC generation ... 9
8.2 MAC verification ... 10
Appendix A (Informative) Assistive technology ... 11
Appendix B (Normative) ASN.1 grammar ... 16
Appendix C (Normative) ASN.1 structure definition ... 19
References ... 21
Password-based key derivation specification
This document specifies password-based key derivation specifications,
including password-based key derivation function, password-based key
encryption scheme, password-based message authentication code.
This document applies to the migrated key which is protected by password during certificate and key migration.
2 Normative references
The contents of the following documents constitute the indispensable clauses of this document through normative references in the text. For dated references, only the version corresponding to that date is applicable to this document; for undated references, the latest version (including all amendments) is applicable to this document.
GB/T 15852.2, Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash- function
GB/T 25069-2010, Information security technology glossary
GB/T 32905-2016, Information security techniques - SM3 cryptographic hash algorithm
GB/T 32907-2016, Information security technology - SM4 block cipher
GM/Z 4001, Cryptology terminology
3 Terms and definitions
Terms and definitions determined by GB/T 25069-2010, GM/Z 4001, and the following ones are applicable to this document.
3.1 Algorithm identifier
A symbol that is used to uniquely identify a cryptographic algorithm.
3.2 Key derivation function
random bit string that is not less than 64 bits; the iteration count is not less than 1024 (see A.1 of Appendix A for details).
The password-based key derivation function is mainly used in 7 and 8. The typical application of the key derivation function (KDF) generally includes the following steps:
a) Select a salt S and an iteration count c (see A.1 for the selection principle); b) Select the length of the derived key dkLen (number of bytes);
c) Use the password P, the salt S, the iteration count c, and the key length dkLen for KDF, to generate a derived key;
d) Output the derived key.
By adjusting the salt S, any number of keys can be derived from a password; see A.1.
The PBKDF which is specified in this document uses a pseudo random function PRF (see A.2) to derive the key; the length of the derived key is not limited. KDF (P, S, c, dkLen)
Option: PRF Pseudo random function (hLen represents the number of bytes that are output by the pseudo random function)
Input: P Password, byte string
S Salt, byte string
c Iteration count, positive integer.
dkLen Length of the derived key (number of bytes), positive integer, the maximum is (232 - 1) ?? hLen
Output: DK Derived key, a byte string whose length is dkLen
a) If dkLen > (232 - 1) ?? hLen, output "the length of the derived key is too long" and stop the program;
b) Divide the length of the derived key into blocks according to hLen bytes; round down; let n be the number of blocks. Let r be the number of bytes in the last block:
c) Substitute the password P, the salt S, the iteration count c, and the sequence number of the block into the function F that is defined below, to calculate each block of the derived key:
e) In the basic encryption scheme, use the derived key DK to encrypt the message M into ciphertext C; (according to the difference of the basic
encryption scheme, this step may involve the selection of parameters such as the initial vector and the padding string)
f) Output the cipher text C.
The salt S, the iteration count c, the key length dkLen, the key derivation function KDF and the identifier of the basic encryption scheme can be
transmitted to the decryption party through an algorithm identification (according to B.2 of Appendix B).
7.2 Decryption operation
The steps for decrypting ciphertext C into message M based on password P are as follows:
a) Obtain the salt S in the operation;
b) Obtain the iteration count c in the key derivation function;
c) Obtain the number of bytes dkLen of the derived key in the basic
d) Substitute the password P, the salt S, and the iteration count c into the selected key derivation function (see Chapter 6), to obtain a dkLen-byte- long derived key DK:
e) In the basic encryption scheme, use the derived key DK to decrypt the ciphertext C into the message M. If the decryption function outputs
"decryption error", output "decryption error" and terminate the program; f) Output the decrypted message M.
8 Password-based message authentication code
8.1 MAC generation
The specific steps for generating the message authentication code T of the message M based on the password P are as follows:
a) Select the key derivation function KDF and the basic message
authentication scheme (see A.4);
b) Select a salt S and an iteration count c (see A.1 for the selection principle); Appendix A
A.1 Salt and iteration count
Since the salt and the iteration count are the key technologies of this document, this Appendix discusses them in depth.
In password-based password, for a given password, the salt is often used to generate a key set together with the password, and select a key randomly from the key set according to the salt.
Use the following key derivation function to select a key from the key set: Where DK is the derived key, P is the password, and S is the salt.
This will bring two benefits.
a) It is difficult for the attacker to calculate all possible keys based on the password dictionary. For example, assume that the length of the salt is 64 bits, each password can derive 264 keys. After a password-based
operation, even if the salt is known, the attacker can only search for the password.
b) The same key is basically impossible to be selected twice. If the length of the salt is 64 bits, according to the "birthday paradox", only after 232 keys are selected, the probability of "collision" will increase significantly. Therefore, there is no need to worry that the same key is used repeatedly in some encryption and message authentication applications.
For the password-based encryption scheme, when a password is used to derive a key, the encryption party only needs to choose a very long, random salt to meet the above two points. This also applies to message authentication. However, it is difficult for the decryption party or the message verifier to determine whether the salt which is provided by the other party is random. In some cases, the application may use the salt that is copied from another password-based operation in order to take advantage of the effect of repeated use of the same key. For example, suppose that legitimate two parties
exchange a message that is encrypted through an 80-bit key, where the key is The iteration count is usually used to increase the computational cost of deriving the key from the password, thereby increasing the difficulty of the attack. From a computational point of view, the iteration count c uses log2(c) bits to increase the security strength of the password, so as to resist trial-based attacks such as brute force attacks or dictionary attacks.
Select a reasonable value for the iteration count, which depends on the environment and application scenarios. Within the range acceptable to users, the iteration count c shall be as large as possible, and the time for deriving the key shall be as long as possible.
The minimum iteration count which is recommended in this document is 1024. For generating a single key, it will not make a significant difference, but the exhaustive attack on passwords is a serious burden. For particularly important keys, or from the perspective of user perception, the system performance is not very picky, and the number of 10000000 iterations is recommended.
A.2 Pseudo random function
The PBKDF which is specified in this document uses a PRF to derive the key. The PRF can generate a pseudo-random sequence. This Appendix introduces an example of the PRF, HMAC-SM3. The HMAC algorithm is implemented in
accordance with GB/T 15852.2.
HMAC-SM3 is a function for calculating the message authentication code
based on SM3 cryptographic hash algorithm; it can be used as a PRF. Same as calculating HMAC, the first parameter of this PRF is used as the "key" of HMAC, the second parameter is used as the "plain text" of HMAC, and the output is the full length of the hash value. In the PBKDF of this document, the "key" is the password, and the "plain text" is the salt. The key length of HMAC- SM3 is variable; the output length is 32 bytes (256 bits).
HMAC-SM3 has no restriction on the key length, but when the key length is greater than 256 bits, HMAC-SM3 hashes it to 256 bits. Therefore, even if a very long derived key is obtained from a key through multiple pseudo random functions, the effective search space of the derived key is at most 256 bits. The object identifier id-hmacWithSM3 identifies the pseudo random function HMAC-SM3 algorithm:
The parameter field that is associated with the OID in AlgorithmIdentifier shall have the type NULL. The object identifier is used in the object set PBKDF-PRFs. A.3 Basic encryption scheme