GM/T 0091-2020 English PDF (GMT0091-2020)
GM/T 0091-2020 English PDF (GMT0091-2020)
Regular price
$260.00 USD
Regular price
Sale price
$260.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0091-2020
Historical versions: GM/T 0091-2020
Preview True-PDF (Reload/Scroll if blank)
GM/T 0091-2020: Password-based key derivation specification
GM/T 0091-2020
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Password-based key derivation specification
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 5
5 OID definition ... 6
6 Password-based key derivation function ... 6
7 Password-based key encryption scheme ... 8
7.1 Encryption operation ... 8
7.2 Decryption operation ... 9
8 Password-based message authentication code ... 9
8.1 MAC generation ... 9
8.2 MAC verification ... 10
Appendix A (Informative) Assistive technology ... 11
Appendix B (Normative) ASN.1 grammar ... 16
Appendix C (Normative) ASN.1 structure definition ... 19
References ... 21
Password-based key derivation specification
1 Scope
This document specifies password-based key derivation specifications,
including password-based key derivation function, password-based key
encryption scheme, password-based message authentication code.
This document applies to the migrated key which is protected by password
during certificate and key migration.
2 Normative references
The contents of the following documents constitute the indispensable clauses
of this document through normative references in the text. For dated references,
only the version corresponding to that date is applicable to this document; for
undated references, the latest version (including all amendments) is applicable
to this document.
GB/T 15852.2, Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-
function
GB/T 25069-2010, Information security technology glossary
GB/T 32905-2016, Information security techniques - SM3 cryptographic hash
algorithm
GB/T 32907-2016, Information security technology - SM4 block cipher
algorithm
GM/Z 4001, Cryptology terminology
3 Terms and definitions
Terms and definitions determined by GB/T 25069-2010, GM/Z 4001, and the
following ones are applicable to this document.
3.1 Algorithm identifier
A symbol that is used to uniquely identify a cryptographic algorithm.
3.2 Key derivation function
random bit string that is not less than 64 bits; the iteration count is not less than
1024 (see A.1 of Appendix A for details).
The password-based key derivation function is mainly used in 7 and 8. The
typical application of the key derivation function (KDF) generally includes the
following steps:
a) Select a salt S and an iteration count c (see A.1 for the selection principle);
b) Select the length of the derived key dkLen (number of bytes);
c) Use the password P, the salt S, the iteration count c, and the key length
dkLen for KDF, to generate a derived key;
d) Output the derived key.
By adjusting the salt S, any number of keys can be derived from a password;
see A.1.
The PBKDF which is specified in this document uses a pseudo random function
PRF (see A.2) to derive the key; the length of the derived key is not limited.
KDF (P, S, c, dkLen)
Option: PRF Pseudo random function (hLen represents the number of bytes that
are output by the pseudo random function)
Input: P Password, byte string
S Salt, byte string
c Iteration count, positive integer.
dkLen Length of the derived key (number of bytes), positive integer, the
maximum is (232 - 1) × hLen
Output: DK Derived key, a byte string whose length is dkLen
Steps:
a) If dkLen > (232 - 1) × hLen, output "the length of the derived key is too
long" and stop the program;
b) Divide the length of the derived key into blocks according to hLen bytes;
round down; let n be the number of blocks. Let r be the number of bytes
in the last block:
c) Substitute the password P, the salt S, the iteration count c, and the
sequence number of the block into the function F that is defined below, to
calculate each block of the derived key:
e) In the basic encryption scheme, use the derived key DK to encrypt the
message M into ciphertext C; (according to the difference of the basic
encryption scheme, this step may involve the selection of parameters such
as the initial vector and the padding string)
f) Output the cipher text C.
The salt S, the iteration count c, the key length dkLen, the key derivation
function KDF and the identifier of the basic encryption scheme can be
transmitted to the decryption party through an algorithm identification
(according to B.2 of Appendix B).
7.2 Decryption operation
The steps for decrypting ciphertext C into message M based on password P
are as follows:
a) Obtain the salt S in the operation;
b) Obtain the iteration count c in the key derivation function;
c) Obtain the number of bytes dkLen of the derived key in the basic
encryption scheme;
d) Substitute the password P, the salt S, and the iteration count c into the
selected key derivation function (see Chapter 6), to obtain a dkLen-byte-
long derived key DK:
e) In the basic encryption scheme, use the derived key DK to decrypt the
ciphertext C into the message M. If the decryption function outputs
"decryption error", output "decryption error" and terminate the program;
f) Output the decrypted message M.
8 Password-based message authentication code
8.1 MAC generation
The specific steps for generating the message authentication code T of the
message M based on the password P are as follows:
a) Select the key derivation function KDF and the basic message
authentication scheme (see A.4);
b) Select a salt S and an iteration count c (see A.1 for the selection principle);
Appendix A
(Informative)
Assistive technology
A.1 Salt and iteration count
A.1.1 Salt
Since the salt and the iteration count are the key technologies of this document,
this Appendix discusses them in depth.
In password-based password, for a given password, the salt is often used to
generate a key set together with the password, and select a key randomly from
the key set according to the salt.
Use the following key derivation function to select a key from the key set:
Where DK is the derived key, P is the password, and S is the salt.
This will bring two benefits.
a) It is difficult for the attacker to calculate all possible keys based on the
password dictionary. For example, assume that the length of the salt is 64
bits, each password can derive 264 keys. After a password-based
operation, even if the salt is known, the attacker can only search for the
password.
b) The same key is basically impossible to be selected twice. If the length of
the salt is 64 bits, according to the "birthday paradox", only after 232 keys
are selected, the probability of "collision" will increase significantly.
Therefore, there is no need to worry that the same key is used repeatedly
in some encryption and message authentication applications.
For the password-based encryption scheme, when a password is used to derive
a key, the encryption party only needs to choose a very long, random salt to
meet the above two points. This also applies to message authentication.
However, it is difficult for the decryption party or the message verifier to
determine whether the salt which is provided by the other party is random. In
some cases, the application may use the salt that is copied fro...
Get QUOTATION in 1-minute: Click GM/T 0091-2020
Historical versions: GM/T 0091-2020
Preview True-PDF (Reload/Scroll if blank)
GM/T 0091-2020: Password-based key derivation specification
GM/T 0091-2020
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
CCS L 80
Password-based key derivation specification
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 01, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols and abbreviations ... 5
5 OID definition ... 6
6 Password-based key derivation function ... 6
7 Password-based key encryption scheme ... 8
7.1 Encryption operation ... 8
7.2 Decryption operation ... 9
8 Password-based message authentication code ... 9
8.1 MAC generation ... 9
8.2 MAC verification ... 10
Appendix A (Informative) Assistive technology ... 11
Appendix B (Normative) ASN.1 grammar ... 16
Appendix C (Normative) ASN.1 structure definition ... 19
References ... 21
Password-based key derivation specification
1 Scope
This document specifies password-based key derivation specifications,
including password-based key derivation function, password-based key
encryption scheme, password-based message authentication code.
This document applies to the migrated key which is protected by password
during certificate and key migration.
2 Normative references
The contents of the following documents constitute the indispensable clauses
of this document through normative references in the text. For dated references,
only the version corresponding to that date is applicable to this document; for
undated references, the latest version (including all amendments) is applicable
to this document.
GB/T 15852.2, Information technology - Security techniques - Message
Authentication Codes (MACs) - Part 2: Mechanisms using a dedicated hash-
function
GB/T 25069-2010, Information security technology glossary
GB/T 32905-2016, Information security techniques - SM3 cryptographic hash
algorithm
GB/T 32907-2016, Information security technology - SM4 block cipher
algorithm
GM/Z 4001, Cryptology terminology
3 Terms and definitions
Terms and definitions determined by GB/T 25069-2010, GM/Z 4001, and the
following ones are applicable to this document.
3.1 Algorithm identifier
A symbol that is used to uniquely identify a cryptographic algorithm.
3.2 Key derivation function
random bit string that is not less than 64 bits; the iteration count is not less than
1024 (see A.1 of Appendix A for details).
The password-based key derivation function is mainly used in 7 and 8. The
typical application of the key derivation function (KDF) generally includes the
following steps:
a) Select a salt S and an iteration count c (see A.1 for the selection principle);
b) Select the length of the derived key dkLen (number of bytes);
c) Use the password P, the salt S, the iteration count c, and the key length
dkLen for KDF, to generate a derived key;
d) Output the derived key.
By adjusting the salt S, any number of keys can be derived from a password;
see A.1.
The PBKDF which is specified in this document uses a pseudo random function
PRF (see A.2) to derive the key; the length of the derived key is not limited.
KDF (P, S, c, dkLen)
Option: PRF Pseudo random function (hLen represents the number of bytes that
are output by the pseudo random function)
Input: P Password, byte string
S Salt, byte string
c Iteration count, positive integer.
dkLen Length of the derived key (number of bytes), positive integer, the
maximum is (232 - 1) × hLen
Output: DK Derived key, a byte string whose length is dkLen
Steps:
a) If dkLen > (232 - 1) × hLen, output "the length of the derived key is too
long" and stop the program;
b) Divide the length of the derived key into blocks according to hLen bytes;
round down; let n be the number of blocks. Let r be the number of bytes
in the last block:
c) Substitute the password P, the salt S, the iteration count c, and the
sequence number of the block into the function F that is defined below, to
calculate each block of the derived key:
e) In the basic encryption scheme, use the derived key DK to encrypt the
message M into ciphertext C; (according to the difference of the basic
encryption scheme, this step may involve the selection of parameters such
as the initial vector and the padding string)
f) Output the cipher text C.
The salt S, the iteration count c, the key length dkLen, the key derivation
function KDF and the identifier of the basic encryption scheme can be
transmitted to the decryption party through an algorithm identification
(according to B.2 of Appendix B).
7.2 Decryption operation
The steps for decrypting ciphertext C into message M based on password P
are as follows:
a) Obtain the salt S in the operation;
b) Obtain the iteration count c in the key derivation function;
c) Obtain the number of bytes dkLen of the derived key in the basic
encryption scheme;
d) Substitute the password P, the salt S, and the iteration count c into the
selected key derivation function (see Chapter 6), to obtain a dkLen-byte-
long derived key DK:
e) In the basic encryption scheme, use the derived key DK to decrypt the
ciphertext C into the message M. If the decryption function outputs
"decryption error", output "decryption error" and terminate the program;
f) Output the decrypted message M.
8 Password-based message authentication code
8.1 MAC generation
The specific steps for generating the message authentication code T of the
message M based on the password P are as follows:
a) Select the key derivation function KDF and the basic message
authentication scheme (see A.4);
b) Select a salt S and an iteration count c (see A.1 for the selection principle);
Appendix A
(Informative)
Assistive technology
A.1 Salt and iteration count
A.1.1 Salt
Since the salt and the iteration count are the key technologies of this document,
this Appendix discusses them in depth.
In password-based password, for a given password, the salt is often used to
generate a key set together with the password, and select a key randomly from
the key set according to the salt.
Use the following key derivation function to select a key from the key set:
Where DK is the derived key, P is the password, and S is the salt.
This will bring two benefits.
a) It is difficult for the attacker to calculate all possible keys based on the
password dictionary. For example, assume that the length of the salt is 64
bits, each password can derive 264 keys. After a password-based
operation, even if the salt is known, the attacker can only search for the
password.
b) The same key is basically impossible to be selected twice. If the length of
the salt is 64 bits, according to the "birthday paradox", only after 232 keys
are selected, the probability of "collision" will increase significantly.
Therefore, there is no need to worry that the same key is used repeatedly
in some encryption and message authentication applications.
For the password-based encryption scheme, when a password is used to derive
a key, the encryption party only needs to choose a very long, random salt to
meet the above two points. This also applies to message authentication.
However, it is difficult for the decryption party or the message verifier to
determine whether the salt which is provided by the other party is random. In
some cases, the application may use the salt that is copied fro...