rfc9337.original.xml   rfc9337.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="independent" cat
<!-- generate a table of contents --> egory="info" docName="draft-pkcs5-gost-09" number="9337" ipr="trust200902" tocIn
<?rfc tocdepth="4"?> clude="true" tocDepth="4" symRefs="true" sortRefs="true" updates="" obsoletes=""
<!-- the number of levels of subsections in ToC. default: 3 --> xml:lang="en" version="3">
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<?rfc compact="no" ?>
<!-- do start each main section on a new page -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="info" docName="draft-p
kcs5-gost-09" ipr="trust200902" tocInclude="true" tocDepth="4" symRefs="true" so
rtRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.12.10 --> <!-- xml2rfc v2v3 conversion 3.12.10 -->
<front> <front>
<title abbrev="GOST Password-based Keys"> <title abbrev="GOST Password-Based Keys">
Generating Password-based Keys Using the GOST Algorithms Generating Password-Based Keys Using the GOST Algorithms
</title> </title>
<seriesInfo name="Internet-Draft" value="draft-pkcs5-gost-09"/> <seriesInfo name="RFC" value="9337"/>
<author fullname="Karelina Ekaterina" initials="E.K." role="editor" surname=
"Karelina"> <author fullname="Ekaterina Karelina" initials="E." role="editor" surname="K
arelina">
<organization>InfoTeCS</organization> <organization>InfoTeCS</organization>
<address> <address>
<postal> <postal>
<street>2B stroenie 1, ul. Otradnaya </street> <street>2B stroenie 1, ul. Otradnaya</street>
<city>Moscow</city> <city>Moscow</city>
<code>127273</code> <code>127273</code>
<country>Russian Federation</country> <country>Russian Federation</country>
</postal> </postal>
<phone>+7 (495) 737-61-92</phone>
<email>Ekaterina.Karelina@infotecs.ru</email> <email>Ekaterina.Karelina@infotecs.ru</email>
</address> </address>
</author> </author>
<date year="2022"/> <date year="2022" month="December"/>
<!--&#1077;&#1089;&#1083;&#1080; &#1085;&#1077; &#1091;&#1082;&#1072;&#1079; <keyword>password-based cryptography, derived key, GOST algorithms, pkcs5, gost<
&#1099;&#1074;&#1072;&#1077;&#1084; &#1095;&#1080;&#1089;&#1083;&#1086; &#1080; /keyword>
&#1084;&#1077;&#1089;&#1103;&#1094;, &#1086;&#1085;&#1080; &#1087;&#1086;&#1076;
&#1089;&#1090;&#1072;&#1074;&#1083;&#1103;&#1102;&#1090;&#1089;&#1103; &#1072;&# <abstract>
1074;&#1090;&#1086;&#1084;&#1072;&#1090;&#1080;&#1095;&#1077;&#1089;&#1082;&#108 <t> This document specifies how to use "PKCS #5: Password-Based Cryptography S
0;--> pecification Version 2.1" (RFC 8018) to generate a symmetric key from a password
<area>General</area> in conjunction with the
<!--&#1082;&#1072;&#1082; &#1074; rfc7748--> Russian national standard GOST algorithms.
<workgroup>Network Working Group</workgroup>
<keyword/>
<abstract>
<t>
This document specifies how to use the Password-Based Cryptography
Specification version 2.1 (PKCS #5) defined in RFC8018 to generate a
symmetric key from a
password in conjunction with the Russian national standard GOST algo
rithms.
</t> </t>
<t> <t>
PKCS #5 applies a pseudorandom function (a cryptographic hash, ciphe PKCS #5 applies a Pseudorandom Function (PRF) -- a cryptographic has
r, or HMAC) h,
to the input password along with a salt value and repeats the proces cipher, or Hash-Based Message Authentication Code (HMAC) -- to the
s many times input password along with a salt value and repeats the process
to produce a derived key. many times to produce a derived key.
</t> </t>
<t> <t>
This specification is developed outside the IETF and is published to This specification has been developed outside the IETF. The purpose of publication being to
facilitate interoperable implementations that wish to support the facilitate interoperable implementations that wish to support the
GOST algorithms. This document does not imply IETF endorsement of GOST algorithms. This document does not imply IETF endorsement of t
the cryptographic algorithms used in this document. he cryptographic algorithms
used here.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="Introduction"> <section anchor="Introduction">
<name>Introduction</name> <name>Introduction</name>
<t> <t>
This document provides a specification of usage of GOST R 34.12-2015 This document provides a specification of usage of GOST R
encryption algorithms and the GOST 34.12-2015 encryption algorithms and the GOST R 34.11-2012 hashing
R 34.11-2012 hashing functions with PKCS #5. functions with PKCS #5. The methods described in this document are d
esigned to generate
The methods described in this document are designed to generate key key information using the user's password and to protect
information using the user's password and to protect information using the gener information using the generated keys.
ated keys.
</t> </t>
</section> </section>
<section> <section>
<name>Conventions Used in This Document</name> <name>Conventions Used in This Document</name>
<t> <t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NO The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
T", "SHOULD", "SHOULD NOT", IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
document are to be interpreted RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
as described in BCP 14 <xref target="RFC2119"/> <xref target="RF "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
C8174"/> when, and only when, be interpreted as
they appear in all capitals, as shown here. described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
</t> when, and only when, they appear in all capitals, as shown here.
</t>
</section> </section>
<section anchor="Definition"> <section anchor="Definition">
<name>Basic Terms and Definitions</name> <name>Basic Terms and Definitions</name>
<t> <t>
Throughout this document, the following notation is used: Throughout this document, the following notation is used:
</t> </t>
<table align="center"> <table align="center">
<name>Terms and Definitions</name>
<thead> <thead>
<tr> <tr>
<th>Notation</th> <th>Notation</th>
<th>Definition</th> <th>Definition</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">P</td> <td align="left">P</td>
<td align="left">a password encoded as a Unicode UTF-8 string</td> <td align="left">a password encoded as a Unicode UTF-8 string</td>
skipping to change at line 117 skipping to change at line 109
</tr> </tr>
<tr> <tr>
<td align="left">dkLen</td> <td align="left">dkLen</td>
<td align="left">a length in octets of derived key, a positive integ er</td> <td align="left">a length in octets of derived key, a positive integ er</td>
</tr> </tr>
<tr> <tr>
<td align="left">DK</td> <td align="left">DK</td>
<td align="left">a derived key of length dkLen</td> <td align="left">a derived key of length dkLen</td>
</tr> </tr>
<tr> <tr>
<td align="left">B_n</td> <td align="left">B<sub>n</sub></td>
<td align="left"> <td align="left">
a set of all octet strings of length n, n &gt;= 0; a set of all octet strings of length n, n &gt;= 0;
if n = 0, then the set B_n consists of an empty string of length 0</ td> if n = 0, then the set B<sub>n</sub> consists of an empty string of length 0</td>
</tr> </tr>
<tr> <tr>
<td align="left">A||C</td> <td align="left">A||C</td>
<td align="left">a concatenation of two octet strings A, C, i.e., a <td align="left">a concatenation of two octet strings A, C, i.e.,
vector from B_(|A|+|C|), where the left subvector from B_(|A|) a vector from B<sub>|A|+|C|</sub>, where the left subvector from B<s
is equal to the vector A and the right subvector from B_(|C|) is equ ub>|A|</sub>
al to the vector C: is equal to the vector A and the right subvector from B<sub>|C|</sub
A = (a_(n_1),...,a_1) in B_(n_1) and > is
C = (c_(n_2),..., c_1) in B_(n_2), equal to the vector C: A = (a<sub>n<sub>1</sub></sub>,...,a<sub>1</s
res = (a_(n_1),...,a_1,c_(n_2),..., c_1) in B_(n_1 + n_2);</td> ub>) in B<sub>n<sub>1</sub></sub> and C =
(c<sub>n<sub>2</sub></sub>,..., c<sub>1</sub>) in B<sub>n<sub>2</sub
></sub>, res = (a<sub>n<sub>1</sub></sub>,...,a<sub>1</sub>,c<sub>n<sub>2</sub><
/sub>,...,
c<sub>1</sub>) in B<sub>n<sub>1</sub>+n<sub>2</sub></sub>)</td>
</tr> </tr>
<tr> <tr>
<td align="left">\xor</td> <td align="left">\xor</td>
<td align="left">a bit-wise exclusive-or of two octet strings of the same length</td> <td align="left">a bit-wise exclusive-or of two octet strings of the same length</td>
</tr> </tr>
<tr> <tr>
<td align="left">MSB^n_r: B_n -&gt; B_r</td> <td align="left">MSB<sup>n</sup><sub>r</sub>: B<sub>n</sub> -&gt; B<
<td align="left">a truncating of an octet string to size r by removi sub>r</sub></td>
ng the least significant n-r octets: <td align="left">a truncating of an octet string to size r by
MSB^n_r(a_n,...,a_(n-r+1),a_(n-r),...,a_1) removing the least significant n-r octets:
=(a_n,...,a_(n-r+1)); MSB<sup>n</sup><sub>r</sub>(a<sub>n</sub>,...,a<sub>n-r+1</sub>,a<su
b>n-r</sub>,...,a<sub>1</sub>) =(a<sub>n</sub>,...,a<sub>n-r+1</sub>)
</td> </td>
</tr> </tr>
<tr> <tr>
<td align="left">LSB^n_r: B_n -&gt; B_r</td> <td align="left">LSB<sup>n</sup><sub>r</sub>: B<sub>n</sub> -&gt; B<
<td align="left">a truncating of a octet string to size r by removin sub>r</sub></td>
g the most significant n-r octets: <td align="left">a truncating of an octet string to size r by
LSB^n_r(a_n,...,a_(n-r+1),a_(n-r),...,a_1) removing the most significant n-r octets:
=(a_r,...,a_1) LSB<sup>n</sup><sub>r</sub>(a<sub>n</sub>,...,a<sub>n-r+1</sub>,a<su
b>n-r</sub>,...,a<sub>1</sub>) =(a<sub>r</sub>,...,a<sub>1</sub>)
</td> </td>
</tr> </tr>
<tr> <tr>
<td align="left">Int(i)</td> <td align="left">Int(i)</td>
<td align="left">a four-octet encoding of the integer i =&lt; 2^32: <td align="left">a four-octet encoding of the integer i =&lt; 2<sup>
(i_1, i_2, i_3, i_4) in B_4, i = i_1 + 2^8 * i_2 + 2^16 * i_3 + 2^24 * i_4</td> 32</sup>: (i<sub>1</sub>, i<sub>2</sub>, i<sub>3</sub>, i<sub>4</sub>) in B<sub>
4</sub>, i = i<sub>1</sub> + 2<sup>8</sup> * i<sub>2</sub> +
2<sup>16</sup> * i<sub>3</sub> + 2<sup>24</sup> * i<sub>4</sub></td>
</tr> </tr>
<tr> <tr>
<td align="left">b[i, j]</td> <td align="left">b[i, j]</td>
<td align="left">a substring extraction operator: extracts octets i through j, 0 =&lt; i =&lt; j.</td> <td align="left">a substring extraction operator, extracts octets i through j, 0 =&lt; i =&lt; j</td>
</tr> </tr>
<tr> <tr>
<td align="left">CEIL(x)</td> <td align="left">CEIL(x)</td>
<td align="left">the smallest integer greater than, or equal to, x</ td> <td align="left">the smallest integer greater than or equal to x</td >
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t> <t>
This document uses the following abbreviations and symbols:</t> This document uses the following abbreviations and symbols:</t>
<table align="center"> <table align="center">
<name>Abbreviations and Symbols</name>
<thead> <thead>
<tr> <tr>
<th align="left"/> <th>Abbreviations and Symbols</th>
<th align="left"/> <th>Definition</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">HMAC_GOSTR3411</td> <td align="left">HMAC_GOSTR3411</td>
<td align="left">Hashed-based Message Authentication Code. A functio <td align="left">Hashed-Based Message Authentication Code. A
n for calculating a message authentication code, function for calculating a Message Authentication Code (MAC) based
based on the GOST R 34.11-2012 hash function (<xref target="RFC6986" on the GOST R 34.11-2012 hash function (see <xref
/>) with 512-bit output in accordance with <xref target="RFC2104"/>.</td> target="RFC6986"/>) with 512-bit output in accordance with <xref
target="RFC2104"/>.</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section anchor="Algorithm"> <section anchor="Algorithm">
<name>Algorithm For Generating a Key From a Password</name> <name>Algorithm for Generating a Key from a Password</name>
<t> <t>
The DK key is calculated by means of a key derivation function PBKDF The DK is calculated by means of a key derivation function
2(P, S, c, dkLen) <xref target="RFC8018"/>, section 5.2 using the PBKDF2 (P, S, c, dkLen) (see <xref target="RFC8018"
HMAC_GOSTR3411 function as the PRF pseudo-random function: sectionFormat="comma" section="5.2"/>) using the HMAC_GOSTR3411
function as the PRF:
</t>
<t indent="6">
DK = PBKDF2 (P, S, c, dkLen).
</t> </t>
<ul empty="true" spacing="normal">
<li>DK = PBKDF2(P,S,c,dkLen).</li>
</ul>
<t> <t>
The PBKDF2 function is defined as the following algorithm: The PBKDF2 function is defined as the following algorithm:
</t> </t>
<ol spacing="normal" type="1"><li> <ol spacing="normal" type="1"><li>
If dkLen &gt; (2^32 - 1) * 64, output "derived key too long" and sto p. If dkLen &gt; (2<sup>32</sup> - 1) * 64, output "derived key too lon g" and stop.
</li> </li>
<li> <li>
Calculate n = CEIL(dkLen / 64). Calculate n = CEIL (dkLen / 64).
</li> </li>
<li> <li>
<t> <t>
Calculate a set of values for each i from 1 to n: Calculate a set of values for each i from 1 to n:
</t> </t>
<ul empty="true" spacing="normal"> <ul empty="true" spacing="normal">
<li>U_1(i) = HMAC_GOSTR3411 (P, S || INT (i))</li> <li>U<sub>1</sub>(i) = HMAC_GOSTR3411 (P, S || INT (i)),</li>
<li>U_2(i) = HMAC_GOSTR3411 (P, U_1(i))</li> <li>U<sub>2</sub>(i) = HMAC_GOSTR3411 (P, U<sub>1</sub>(i)),</li>
<li>...</li> <li>...</li>
<li>U_c(i) = HMAC_GOSTR3411 (P, U_{c-1}(i))</li> <li>U<sub>c</sub>(i) = HMAC_GOSTR3411 (P, U<sub>c-1</sub>(i)),</li>
<li>T(i) = U_1(i) \xor U_2(i) \xor ... \xor U_c(i)</li> <li>T(i) = U<sub>1</sub>(i) \xor U<sub>2</sub>(i) \xor ... \xor U<su
b>c</sub>(i).</li>
</ul> </ul>
</li> </li>
<li> <li>
<t> <t>
Concatenate the octet strings T(i) and extract the first dkLen octet s to Concatenate the octet strings T(i) and extract the first dkLen octet s to
produce a derived key DK: produce a derived key DK:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li>DK = MSB^{n * 64}_dkLen(T(1)||T(2)||...||T(n))</li> <li>DK = MSB<sup>n * 64</sup><sub>dkLen</sub>(T(1)||T(2)||...||T(n))
</li>
</ul> </ul>
</li> </li>
</ol> </ol>
</section> </section>
<section anchor="Encryption"> <section anchor="Encryption">
<name>Data Encryption</name> <name>Data Encryption</name>
<section anchor="GOST-34.12-2015"> <section anchor="GOST-34.12-2015">
<name>GOST R 34.12-2015 Data Encryption</name> <name>GOST R 34.12-2015 Data Encryption</name>
<t>Data encryption using the DK key is carried out in accordance with th <t>Data encryption using the DK is carried out in accordance with the PB
e PBES2 scheme (see <xref target="RFC8018"/>, ES2 scheme (see <xref target="RFC8018" sectionFormat="comma" section="6.2"/>) us
section 6.2) using GOST R 34.12-2015 in CTR_ACPKM mode (see <xref ta ing GOST R 34.12-2015 in CTR_ACPKM mode (see <xref target="RFC8645"/>).</t>
rget="RFC8645"/>).</t>
<section anchor="Enc_GOST-34.12-2015"> <section anchor="Enc_GOST-34.12-2015">
<name>Encryption</name> <name>Encryption</name>
<t> <t>
The encryption process for PBES2 consists of the following steps The encryption process for PBES2 consists of the following
: steps:
</t> </t>
<ol spacing="normal" type="1"><li>Select the random value S of length from 8 to 32 octets.</li> <ol spacing="normal" type="1"><li>Select the random value S of a lengt h from 8 to 32 octets.</li>
<li>Select the iteration count c depending on the conditions of use (see <xref target="GostPkcs5"/>). <li>Select the iteration count c depending on the conditions of use (see <xref target="GostPkcs5"/>).
The minimum allowable value for the parameter is 1000.</li> The minimum allowable value for the parameter is 1000.</li>
<li>Set the value dkLen = 32.</li> <li>Set the value dkLen = 32.</li>
<li>
<t>Apply the key derivation function to the password P, the random <li>
value S and the iteration count c <t>Apply the key derivation function to the password P, the
to produce a derived key DK of length dkLen octets in accordance random value S, and the iteration count c to produce a derived
with the algorithm from <xref target="Algorithm"/>. key DK of length dkLen octets in accordance with the algorithm
Generate the sequence T(1) and truncate it to 32 octets, i.e., from <xref target="Algorithm"/>.
</t> Generate the sequence T(1) and
<ul empty="true" spacing="normal"> truncate it to 32 octets, i.e.,</t>
<li>DK = PBKDF2(P,S,c,32) = MSB^64_32(T(1)).</li> <ul empty="true">
</ul> <li>DK = PBKDF2 (P, S, c, 32) =
</li> MSB<sup>64</sup><sub>32</sub>(T(1)).</li></ul></li>
<li> <li>
<t>Generate the random value ukm of size n, where n takes a value <t>Generate the random value ukm of size n, where n takes a
of 12 or 16 octets, depending on the selected encryption algorithm: value of 12 or 16 octets depending on the selected encryption
algorithm:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li>GOST R 34.12-2015 "Kuznyechik" n = 16 (see <xref target="R FC7801"/>)</li> <li>GOST R 34.12-2015 "Kuznyechik" n = 16 (see <xref target="R FC7801"/>)</li>
<li>GOST R 34.12-2015 "Magma" n = 12 (see <xref target="RFC8891" />)</li> <li>GOST R 34.12-2015 "Magma" n = 12 (see <xref target="RFC8891" />)</li>
</ul> </ul>
</li> </li>
<li>Set the value S' = ukm[1..n-8]</li> <li>Set the value S' = ukm[1..n-8].</li> <li>For the
<li>For id-gostr3412-2015-magma-ctracpkm and id-gostr3412-2015-kuzny id-gostr3412-2015-magma-ctracpkm and
echik-ctracpkm algorithms (see <xref target="ParamGost3412-2015"/>) id-gostr3412-2015-kuznyechik-ctracpkm algorithms (see <xref
encrypt the message M with GOST R 34.12-2015 algorithm with the target="ParamGost3412-2015"/>), encrypt the message M with the GOST
derived key DK and the random value S' to produce a ciphertext C.</li> R
34.12-2015 algorithm with the derived key DK and the random value
S' to produce a ciphertext C.</li>
<li> <li>
<t>For id-gostr3412-2015-magma-ctracpkm-omac and id-gostr3412-2015 <t>For the id-gostr3412-2015-magma-ctracpkm-omac and
-kuznyechik-ctracpkm-omac algorithms (see <xref target="ParamGost3412-2015"/>) id-gostr3412-2015-kuznyechik-ctracpkm-omac algorithms (see <xref
encrypt the message M with GOST R 34.12-2015 algorithm with the target="ParamGost3412-2015"/>), encrypt the message M with the GOS
derived key DK and the ukm in accordance with the following steps: T R
34.12-2015 algorithm with the derived key DK and the ukm in
accordance with the following steps:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li> <li>
<t>- Generate two keys from the derived key DK using the KDF_T <t>Generate two keys from the derived key DK using the
REE_GOSTR3411_2012_256 algorithm (see <xref target="RFC7836"/>): KDF_TREE_GOSTR3411_2012_256 algorithm (see <xref
target="RFC7836"/>):
</t> </t>
<ul empty="true" spacing="normal"> <t indent="3">encryption key K(1)</t>
<li>encryption key K(1)</li> <t indent="3">MAC key K(2)</t>
<li>MAC key K(2).</li>
</ul> <t>
<t> Input parameters for the KDF_TREE_GOSTR3411_2012_256
Input parameters for the KDF_TREE_GOSTR3411_2012_256 algorit algorithm take the following values:
hm take the folowing values:
</t> </t>
<ul empty="true" spacing="normal"> <t indent="3">K<sub>in</sub> = DK</t>
<li>K_in = DK</li> <t indent="3">label = "kdf tree" (8 octets)</t>
<li>label = "kdf tree" (8 octets)</li> <t indent="3">seed = ukm[n-7..n]</t>
<li>seed = ukm[n-7..n]</li> <t indent="3">R = 1</t>
<li>R = 1</li> <t>
</ul> The input string label above is encoded using ASCII (see <xr
<t> ef target="RFC0020"/>).
The input string label above is encoded using ASCII ( <xref
target="RFC0020"/> ).
</t> </t>
</li> </li>
<li> - Compute MAC for the message M using the K(2) key in accor <li>Compute the MAC for the message M using the K(2) key in acco
dance with GOST R 34.12-2015 algorithm. Append the computed MAC value to the mes rdance with the GOST R 34.12-2015 algorithm.
sage M: M||MAC.</li> Append the computed MAC value to the message M: M||MAC.</li>
<li> - Encrypt the resulting octet string with MAC with GOST R 3 <li>Encrypt the resulting octet string with MAC with the GOST R
4.12-2015 algorithm with the derived key K(1) and the random value S' to produce 34.12-2015 algorithm with the derived key
a ciphertext C.</li> K(1) and the random value S' to produce a ciphertext C.</li>
</ul> </ul>
</li> </li>
<li>Serialize the parameters S, c, ukm as algorithm parameters in ac <li>Serialize the parameters S, c, and ukm as algorithm parameters in accordance
cordance with <xref target="PBES2"/>.</li> with <xref
target="PBES2"/>.</li>
</ol> </ol>
</section> </section>
<section anchor="Dec_GOST-34.12-2015"> <section anchor="Dec_GOST-34.12-2015">
<name>Decryption</name> <name>Decryption</name>
<t> <t>
The decryption process for PBES2 consists of the following steps The decryption process for PBES2 consists of the following
: steps:
</t> </t>
<ol spacing="normal" type="1"><li>Set the value dkLen = 32.</li> <ol spacing="normal" type="1"><li>Set the value dkLen = 32.</li>
<li>Apply the key derivation function PBKDF2 to the password P, the <li>Apply the key derivation function PBKDF2 to the password P,
random value S and the iteration count c the random value S, and the iteration count c to produce a derived
to produce a derived key DK of length dkLen octets in accordance key DK of length dkLen octets in accordance with the algorithm
with the algorithm from <xref target="Algorithm"/>. from <xref target="Algorithm"/>. Generate the sequence T(1) and
Generate the sequence T(1) and truncate it to 32 octets, i.e., D truncate it to 32 octets, i.e., DK = PBKFD2 (P, S, c, 32) =
K = PBKFD2(P,S,c,32) = MSB^64_32(T(1)).</li> MSB<sup>64</sup><sub>32</sub>(T(1)).</li>
<li>Set the value S' = ukm[1..n-8], where n is the size of ukm in oc <li>Set the value S' = ukm[1..n-8], where n is the size of ukm in
tets.</li> octets.</li>
<li>For id-gostr3412-2015-magma-ctracpkm and id-gostr3412-2015-kuzny <li>For the id-gostr3412-2015-magma-ctracpkm and
echik-ctracpkm algorithms (see <xref target="ParamGost3412-2015"/>) id-gostr3412-2015-kuznyechik-ctracpkm algorithms (see <xref
decrypt the ciphertext C with GOST R 34.12-2015 algorithm with t target="ParamGost3412-2015"/>), decrypt the ciphertext C with the GO
he derived key DK and the random value S' to produce the message M.</li> ST
R 34.12-2015 algorithm with the derived key DK and the random
value S' to produce the message M.</li>
<li> <li>
<t>For id-gostr3412-2015-magma-ctracpkm-omac and id-gostr3412-2015 <t>For id-gostr3412-2015-magma-ctracpkm-omac and
-kuznyechik-ctracpkm-omac algorithms (see <xref target="ParamGost3412-2015"/>) id-gostr3412-2015-kuznyechik-ctracpkm-omac algorithms (see <xref
decrypt the ciphertext C with GOST R 34.12-2015 algorithm with t target="ParamGost3412-2015"/>), decrypt the ciphertext C with the
he derived key DK and the ukm in accordance with the following steps: GOST R 34.12-2015 algorithm with the derived key DK and the ukm
in accordance with the following steps:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li> <li>
<t>- Generate two keys from the derived key DK using the KDF_T <t>Generate two keys from the derived key DK using the
REE_GOSTR3411_2012_256 algorithm: KDF_TREE_GOSTR3411_2012_256 algorithm:
</t> </t>
<ul empty="true" spacing="normal"> <t indent="3">encryption key K(1)</t>
<li>encryption key K(1)</li> <t indent="3">MAC key K(2)</t>
<li>MAC key K(2).</li>
</ul>
<t> <t>
Input parameters for the KDF_TREE_GOSTR3411_2012_256 algorit Input parameters for the KDF_TREE_GOSTR3411_2012_256
hm take the folowing values: algorithm take the following values:
</t> </t>
<ul empty="true" spacing="normal">
<li>K_in = DK</li> <t indent="3">K<sub>in</sub> = DK</t>
<li>label = "kdf tree" (8 octets)</li> <t indent="3">label = "kdf tree" (8 octets)</t>
<li>seed = ukm[n-7..n]</li> <t indent="3">seed = ukm[n-7..n]</t>
<li>R = 1</li> <t indent="3">R = 1</t>
</ul> <t>
<t> The input string label above is encoded using ASCII (see <xr
The input string label above is encoded using ASCII ( <xref ef target="RFC0020"/>).
target="RFC0020"/> ).
</t> </t>
</li> </li>
<li> - Decrypt the ciphertext C with GOST R 34.12-2015 algorithm <li>Decrypt the ciphertext C with the GOST R 34.12-2015
with the derived key K(1) and the random value S' to produce the plaintext. algorithm with the derived key K(1) and the random value S' to
The last k octets of the text are the message authentication produce the plaintext. The last k octets of the text are the MA
code MAC', where k depends on the selected encryption algorithm.</li> C, where k depends on the
<li> - Compute MAC for the text[1..m - k] using the K(2) key in selected encryption algorithm.</li>
accordance with GOST R 34.12-2015 algorithm, where m is the size of text.</li> <li>Compute the MAC for the text[1..m - k] using the K(2) key
<li> - Compare the original message authentication code MAC and in accordance with GOST R 34.12-2015 algorithm, where m is the
the receiving message authentication code MAC'. size of text.</li>
If the sizes or values do not match, the message is distorte <li>Compare the computing MAC
d.</li> and the receiving MAC. If the
</ul> sizes or values do not match, the message is distorted.</li>
</li> </ul>
</li>
</ol> </ol>
</section> </section>
</section> </section>
</section> </section>
<section anchor="Integrity"> <section anchor="Integrity">
<name>Message Authentication</name> <name>Message Authentication</name>
<t>PBMAC1 scheme is used for message authentication (see <xref target="RFC <t>The PBMAC1 scheme is used for message authentication (see <xref target=
8018"/>, section 7.1). "RFC8018" sectionFormat="comma" section="7.1"/>).
This scheme bases on the HMAC_GOSTR3411 function.</t> This scheme is based on the HMAC_GOSTR3411 function.</t>
<section anchor="MAC_generation"> <section anchor="MAC_generation">
<name>MAC Generation</name> <name>MAC Generation</name>
<t>The MAC generation operation for PBMAC1 consists of the following ste ps: <t>The MAC generation operation for PBMAC1 consists of the following ste ps:
</t> </t>
<ol spacing="normal" type="1"><li>Select the random value S of length fr om 8 to 32 octets.</li> <ol spacing="normal" type="1"><li>Select the random value S of a length from 8 to 32 octets.</li>
<li>Select the iteration count c depending on the conditions of use (s ee <xref target="GostPkcs5"/>). <li>Select the iteration count c depending on the conditions of use (s ee <xref target="GostPkcs5"/>).
The minimum allowable value for the parameter is 1000.</li> The minimum allowable value for the parameter is 1000.</li>
<li>Set the dkLen to at least 32 octets. It depends on previous parame <li>Set the dkLen to at least 32 octets. The number of octets depends
ter values.</li> on previous parameter values.</li>
<li>Apply the key derivation function to the password P, the random va <li>Apply the key derivation function to the password P, the random
lue S and the iteration count c value S, and the iteration count c to generate a sequence K of
to generate a sequence K of length dkLen octets in accordance with t length dkLen octets in accordance with the algorithm from <xref
he algorithm from <xref target="Algorithm"/>. </li> target="Algorithm"/>. </li>
<li>Truncate the sequence K to 32 octets to get the derived key DK, i. <li>Truncate the sequence K to 32 octets to get the derived key DK, i.
e., DK = LSB^dkLen_32(K).</li> e., DK = LSB<sup>dkLen</sup><sub>32</sub>(K).</li>
<li>Process the message M with the underlying message authentication s cheme with the derived key DK to generate a message authentication code T.</li> <li>Process the message M with the underlying message authentication s cheme with the derived key DK to generate a message authentication code T.</li>
<li>Save the parameters S, c as algorithm parameters in accordance wit h <xref target="PBMAC1"/>.</li> <li>Save the parameters S and c as algorithm parameters in accordance with <xref target="PBMAC1"/>.</li>
</ol> </ol>
</section> </section>
<section anchor="MAC_verification"> <section anchor="MAC_verification">
<name>MAC Verification</name> <name>MAC Verification</name>
<t>The MAC verification operation for PBMAC1 consists of the following s teps: <t>The MAC verification operation for PBMAC1 consists of the following s teps:
</t> </t>
<ol spacing="normal" type="1"><li>Set the dkLen to at least 32 octets. I <ol spacing="normal" type="1"><li>Set the dkLen to at least 32 octets. T
t depends on previous parameter values.</li> he number of octets depends on previous parameter values.</li>
<li>Apply the key derivation function to the password P, the random va <li>Apply the key derivation function to the password P, the random va
lue S and the iteration count c lue S, and the iteration count c
to generate a sequence K of length dkLen octets in accordance with t he algorithm from <xref target="Algorithm"/>. </li> to generate a sequence K of length dkLen octets in accordance with t he algorithm from <xref target="Algorithm"/>. </li>
<li>Truncate the sequence K to 32 octets to get the derived key DK, i. <li>Truncate the sequence K to 32 octets to get the derived key DK, i.
e., DK = LSB^dkLen_32(K).</li> e., DK = LSB<sup>dkLen</sup><sub>32</sub>(K).</li>
<li>Process the message M with the underlying message authentication s <li>Process the message M with the underlying message authentication s
cheme with the derived key DK to generate a message authentication code MAC'.</l cheme with the derived key DK to generate a MAC.</li>
i> <li>Compare the computing MAC and the receiving MAC. If the sizes or v
<li>Compare the original message authentication code MAC and the recei alues do not match, the message is distorted. </li>
ving message authentication code MAC'. If the sizes or values do not match, the
message is distorted. </li>
</ol> </ol>
</section> </section>
</section> </section>
<section anchor="Ident_Params"> <section anchor="Ident_Params">
<name>Identifiers and Parameters</name> <name>Identifiers and Parameters</name>
<t>This section defines ASN.1 syntax for the key derivation functions, the <t>This section defines the ASN.1 syntax for the key derivation functions,
encryption schemes, the message authentication scheme, and the encryption schemes, the message authentication scheme, and
supporting techniques (<xref target="RFC8018"/>).</t> supporting techniques (see <xref target="RFC8018"/>).</t>
<artwork><![CDATA[ <sourcecode type="asn.1"><![CDATA[
rsadsi OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 113549 } rsadsi OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 113549 }
pkcs OBJECT IDENTIFIER ::= { rsadsi 1 } pkcs OBJECT IDENTIFIER ::= { rsadsi 1 }
pkcs-5 OBJECT IDENTIFIER ::= { pkcs 5 } pkcs-5 OBJECT IDENTIFIER ::= { pkcs 5 }]]></sourcecode>
]]></artwork>
<section anchor="PBKDF2"> <section anchor="PBKDF2">
<name>PBKDF2</name> <name>PBKDF2</name>
<t>The object identifier id-PBKDF2 identifies the PBKDF2 key derivation <t>The Object Identifier (OID) id-PBKDF2 identifies the PBKDF2 key deriv
function:</t> ation function:</t>
<artwork><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-PBKDF2 OBJECT IDENTIFIER ::= { pkcs-5 12 } id-PBKDF2 OBJECT IDENTIFIER ::= { pkcs-5 12 }]]></sourcecode>
]]></artwork> <t>The parameters field associated with this OID in an AlgorithmIdentifi
<t>The parameters field associated with this OID in an AlgorithmIdentifi er <bcp14>SHALL</bcp14> have type PBKDF2-params:</t>
er SHALL have type PBKDF2-params:</t> <sourcecode type="asn.1"><![CDATA[
<artwork><![CDATA[
PBKDF2-params ::= SEQUENCE PBKDF2-params ::= SEQUENCE
{ {
salt CHOICE salt CHOICE
{ {
specified OCTET STRING, specified OCTET STRING,
otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}} otherSource AlgorithmIdentifier {{PBKDF2-SaltSources}}
}, },
iterationCount INTEGER (1000..MAX), iterationCount INTEGER (1000..MAX),
keyLength INTEGER (32..MAX) OPTIONAL, keyLength INTEGER (32..MAX) OPTIONAL,
prf AlgorithmIdentifier {{PBKDF2-PRFs}} prf AlgorithmIdentifier {{PBKDF2-PRFs}}
} }]]></sourcecode>
]]></artwork>
<t>The fields of type PBKDF2-params have the following meanings: <t>The fields of type PBKDF2-params have the following meanings:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li>- salt contains the random value S in OCTET STRING.</li> <li>salt contains the random value S in OCTET STRING.</li>
<li>- iterationCount specifies the iteration count c.</li> <li>iterationCount specifies the iteration count c.</li>
<li>- keyLength is the length of the derived key in octets. It is opti <li>keyLength is the length of the derived key in octets. It is an opt
onal field for PBES2 sheme since it is always 32 octets. ional field for the PBES2 scheme since it is always 32 octets.
It MUST be present for PBMAC1 sheme and MUST be at least 32 octets s It <bcp14>MUST</bcp14> be present for the PBMAC1 scheme and <bcp14>M
ince the HMAC_GOSTR3411 function has a variable key size.</li> UST</bcp14> be at least 32 octets since the HMAC_GOSTR3411 function has a variab
<li>- prf identifies the pseudorandom function. The identifier value M le key size.</li>
UST be id-tc26-hmac-gost-3411-12-512, the parameters value must be NULL:</li> <li>prf identifies the pseudorandom function. The identifier value <bc
p14>MUST</bcp14> be id-tc26-hmac-gost-3411-12-512 and the parameters value must
be NULL:</li>
</ul> </ul>
<artwork><![CDATA[ <sourcecode type="asn.1"><![CDATA[
id-tc26-hmac-gost-3411-12-512 OBJECT IDENTIFIER ::= id-tc26-hmac-gost-3411-12-512 OBJECT IDENTIFIER ::=
{ {
iso(1) member-body(2) ru(643) reg7(7) iso(1) member-body(2) ru(643) reg7(7)
tk26(1) algorithms(1) hmac(4) 512(2) tk26(1) algorithms(1) hmac(4) 512(2)
} }]]></sourcecode>
]]></artwork>
</section> </section>
<section anchor="PBES2"> <section anchor="PBES2">
<name>PBES2</name> <name>PBES2</name>
<t>The object identifier id-PBES2 identifies the PBES2 encryption scheme <t>The OID id-PBES2 identifies the PBES2 encryption scheme:</t>
:</t> <sourcecode type="asn.1"><![CDATA[
<artwork><![CDATA[ id-PBES2 OBJECT IDENTIFIER ::= { pkcs-5 13 }]]></sourcecode>
id-PBES2 OBJECT IDENTIFIER ::= { pkcs-5 13 } <t>The parameters field associated with this OID in an AlgorithmIdentifi
]]></artwork> er <bcp14>SHALL</bcp14> have type PBES2-params:</t>
<t>The parameters field associated with this OID in an AlgorithmIdentifi <sourcecode type="asn.1"><![CDATA[
er SHALL have type PBES2-params:</t>
<artwork><![CDATA[
PBES2-params ::= SEQUENCE PBES2-params ::= SEQUENCE
{ {
keyDerivationFunc AlgorithmIdentifier { { PBES2-KDFs } }, keyDerivationFunc AlgorithmIdentifier { { PBES2-KDFs } },
encryptionScheme AlgorithmIdentifier { { PBES2-Encs } } encryptionScheme AlgorithmIdentifier { { PBES2-Encs } }
} }]]></sourcecode>
]]></artwork>
<t>The fields of type PBES2-params have the following meanings: <t>The fields of type PBES2-params have the following meanings:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li>- keyDerivationFunc identifies the key derivation function in acco <li>keyDerivationFunc identifies the key derivation function in accord
rdance with <xref target="PBKDF2"/>.</li> ance with <xref target="PBKDF2"/>.</li>
<li>- encryptionScheme identifies the encryption scheme in with <xref <li>encryptionScheme identifies the encryption scheme in accordance wi
target="ParamGost3412-2015"/>.</li> th <xref target="ParamGost3412-2015"/>.</li>
</ul> </ul>
</section> </section>
<section anchor="ParamGost3412-2015"> <section anchor="ParamGost3412-2015">
<name>Identifier and Parameters of Gost34.12-2015 Encryption Scheme</nam <name>Identifier and Parameters of Gost34.12-2015 Encryption Scheme</name>
e> <t>The Gost34.12-2015 encryption algorithm identifier <bcp14>SHALL</bcp1
<t>The Gost34.12-2015 encryption algorithm identifier SHALL take one of 4> take one of the following values:</t>
the following values:</t> <sourcecode type="asn.1"><![CDATA[
<artwork><![CDATA[
id-gostr3412-2015-magma-ctracpkm OBJECT IDENTIFIER ::= id-gostr3412-2015-magma-ctracpkm OBJECT IDENTIFIER ::=
{ {
iso(1) member-body(2) ru(643) rosstandart(7) iso(1) member-body(2) ru(643) rosstandart(7)
tc26(1) algorithms(1) cipher(5) tc26(1) algorithms(1) cipher(5)
gostr3412-2015-magma(1) mode-ctracpkm(1) gostr3412-2015-magma(1) mode-ctracpkm(1)
} }]]></sourcecode>
]]></artwork> <t>When the id-gostr3412-2015-magma-ctracpkm identifier is used, the data is enc
<t>In case of use id-gostr3412-2015-magma-ctracpkm identifier the data i rypted by the GOST R 34.12-2015 Magma cipher in CTR_ACPKM mode in accordance wit
s encrypted by the GOST R 34.12-2015 Magma cipher in CTR_ACPKM mode in accordanc h <xref target="RFC8645"/>.
e with <xref target="RFC8645"/>. The block size is 64 bits and the section size is fixed within a
The block size is 64 bits, the section size is fixed within a sp specific protocol based on the requirements of the system capacity and the key
ecific protocol based on the requirements of the system capacity and the key lif lifetime.</t>
etime.</t> <sourcecode type="asn.1"><![CDATA[
<artwork><![CDATA[
id-gostr3412-2015-magma-ctracpkm-omac OBJECT IDENTIFIER ::= id-gostr3412-2015-magma-ctracpkm-omac OBJECT IDENTIFIER ::=
{ {
iso(1) member-body(2) ru(643) rosstandart(7) iso(1) member-body(2) ru(643) rosstandart(7)
tc26(1) algorithms(1) cipher(5) tc26(1) algorithms(1) cipher(5)
gostr3412-2015-magma(1) mode-ctracpkm-omac(2) gostr3412-2015-magma(1) mode-ctracpkm-omac(2)
} }]]></sourcecode>
]]></artwork> <t>When the id-gostr3412-2015-magma-ctracpkm-omac identifier is used, th
<t>In case of use id-gostr3412-2015-magma-ctracpkm-omac identifier the e
data is encrypted by the GOST R 34.12-2015 Magma cipher in CTR_ACPKM mode in acc data is encrypted by the GOST R 34.12-2015 Magma cipher in CTR_ACPKM
ordance with <xref target="RFC8645"/>, mode in accordance with <xref target="RFC8645"/> and the MAC is computed
and MAC is computed by the GOST R 34.12-2015 Magma cipher in MAC by the GOST R 34.12-2015 Magma cipher in MAC mode (MAC size is 64
mode (MAC size is 64 bits). bits). The block size is 64 bits and the section size is fixed within a
The block size is 64 bits, the section size is fixed within a sp specific protocol based on the requirements of the system capacity and
ecific protocol based on the requirements of the system capacity and the key lif the key lifetime.</t>
etime.</t> <sourcecode type="asm.1"><![CDATA[
<artwork><![CDATA[
id-gostr3412-2015-kuznyechik-ctracpkm OBJECT IDENTIFIER ::= id-gostr3412-2015-kuznyechik-ctracpkm OBJECT IDENTIFIER ::=
{ {
iso(1) member-body(2) ru(643) rosstandart(7) iso(1) member-body(2) ru(643) rosstandart(7)
tc26(1) algorithms(1) cipher(5) tc26(1) algorithms(1) cipher(5)
gostr3412-2015-kuznyechik(2) mode-ctracpkm(1) gostr3412-2015-kuznyechik(2) mode-ctracpkm(1)
} }]]></sourcecode>
]]></artwork> <t>When the id-gostr3412-2015-kuznyechik-ctracpkm identifier is used, th
<t>In case of use id-gostr3412-2015-kuznyechik-ctracpkm identifier the d e data is encrypted by the GOST R 34.12-2015 Kuznyechik cipher in CTR_ACPKM mode
ata is encrypted by the GOST R 34.12-2015 Kuznyechik cipher in CTR_ACPKM mode in in accordance with <xref target="RFC8645"/>.
accordance with <xref target="RFC8645"/>. The block size is 128 bits and the section size is fixed within
The block size is 128 bits, the section size is fixed within a s a specific protocol based on the requirements of the system capacity and the key
pecific protocol based on the requirements of the system capacity and the key li lifetime.</t>
fetime.</t> <sourcecode type="asm.1"><![CDATA[
<artwork><![CDATA[
id-gostr3412-2015-kuznyechik-ctracpkm-omac OBJECT IDENTIFIER ::= id-gostr3412-2015-kuznyechik-ctracpkm-omac OBJECT IDENTIFIER ::=
{ {
iso(1) member-body(2) ru(643) rosstandart(7) iso(1) member-body(2) ru(643) rosstandart(7)
tc26(1) algorithms(1) cipher(5) tc26(1) algorithms(1) cipher(5)
gostr3412-2015-kuznyechik(2) mode-ctracpkm-omac(2) gostr3412-2015-kuznyechik(2) mode-ctracpkm-omac(2)
} }]]></sourcecode>
]]></artwork> <t>When the id-gostr3412-2015-kuznyechik-ctracpkm-omac identifier is use
<t>In case of use id-gostr3412-2015-kuznyechik-ctracpkm-omac identifier d, the data is encrypted by the GOST R 34.12-2015 Kuznyechik cipher in CTR_ACPKM
the data is encrypted by the GOST R 34.12-2015 Kuznyechik cipher in CTR_ACPKM m mode in accordance with <xref target="RFC8645"/>
ode in accordance with <xref target="RFC8645"/>,
and MAC is computed by the GOST R 34.12-2015 Kuznyechik cipher i n MAC mode (MAC size is 128 bits). and MAC is computed by the GOST R 34.12-2015 Kuznyechik cipher i n MAC mode (MAC size is 128 bits).
The block size is 128 bits, the section size is fixed within a s The block size is 128 bits and the section size is fixed within
pecific protocol based on the requirements of the system capacity and the key li a specific protocol based on the requirements of the system capacity and the key
fetime.</t> lifetime.</t>
<t>The parameters field in an AlgorithmIdentifier SHALL have type Gost34 <t>The parameters field in an AlgorithmIdentifier <bcp14>SHALL</bcp14> h
12-15-Encryption-Parameters:</t> ave type Gost3412-15-Encryption-Parameters:</t>
<artwork><![CDATA[ <sourcecode type="asm.1"><![CDATA[
Gost3412-15-Encryption-Parameters ::= SEQUENCE Gost3412-15-Encryption-Parameters ::= SEQUENCE
{ {
ukm OCTET STRING ukm OCTET STRING
} }]]></sourcecode>
]]></artwork>
<t>The field of type Gost3412-15-Encryption-Parameters have the followin g meanings: <t>The field of type Gost3412-15-Encryption-Parameters have the followin g meanings:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li> <li>
<t>- ukm MUST be present and MUST contain n octets. Its value depend
s on the selected encryption algorithm: <t>ukm <bcp14>MUST</bcp14> be present and <bcp14>MUST</bcp14> contain n octets.
Its value depends on the selected encryption algorithm:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li>GOST R 34.12-2015 "Kuznyechik" n = 16 (see <xref target="RFC78 01"/>)</li> <li>GOST R 34.12-2015 "Kuznyechik" n = 16 (see <xref target="RFC78 01"/>)</li>
<li>GOST R 34.12-2015 "Magma" n = 12 (see <xref target="RFC8891"/> )</li> <li>GOST R 34.12-2015 "Magma" n = 12 (see <xref target="RFC8891"/> )</li>
</ul> </ul>
</li> </li>
</ul> </ul>
</section> </section>
<section anchor="PBMAC1"> <section anchor="PBMAC1">
<name>PBMAC1</name> <name>PBMAC1</name>
<t>The object identifier id-PBMAC1 identifies the PBMAC1 message authent <t>The OID id-PBMAC1 identifies the PBMAC1 message authentication scheme
ication scheme:</t> :</t>
<artwork><![CDATA[ <sourcecode type="asm.1"><![CDATA[
id-PBMAC1 OBJECT IDENTIFIER ::= { pkcs-5 14 } id-PBMAC1 OBJECT IDENTIFIER ::= { pkcs-5 14 }]]></sourcecode>
]]></artwork> <t>The parameters field associated with this OID in an AlgorithmIdentifi
<t>The parameters field associated with this OID in an AlgorithmIdentifi er <bcp14>SHALL</bcp14> have type PBMAC1-params:</t>
er SHALL have type PBMAC1-params:</t> <sourcecode type="asm.1"><![CDATA[
<artwork><![CDATA[
PBMAC1-params ::= SEQUENCE PBMAC1-params ::= SEQUENCE
{ {
keyDerivationFunc AlgorithmIdentifier { { PBMAC1-KDFs } }, keyDerivationFunc AlgorithmIdentifier { { PBMAC1-KDFs } },
messageAuthScheme AlgorithmIdentifier { { PBMAC1-MACs } } messageAuthScheme AlgorithmIdentifier { { PBMAC1-MACs } }
} }]]></sourcecode>
]]></artwork>
<t>The fields of type PBMAC1-params have the following meanings: <t>The fields of type PBMAC1-params have the following meanings:
</t> </t>
<ul empty="true" spacing="normal"> <ul spacing="normal">
<li>- keyDerivationFunc is identifier and parameters of key derivation <li>keyDerivationFunc is the identifier and parameters of key derivati
function in accordance with <xref target="PBKDF2"/> </li> on function in accordance with <xref target="PBKDF2"/>. </li>
<li>- messageAuthScheme is identifier and parameters of HMAC_GOSTR3411 <li>messageAuthScheme is the identifier and parameters of the HMAC_GO
algorithm.</li> STR3411 algorithm.</li>
</ul> </ul>
</section> </section>
</section> </section>
<section anchor="Security"> <section anchor="Security">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>For information on security considerations for password-based cryptogra <t>For information on security considerations for password-based cryptogra
phy see <xref target="RFC8018"/>.</t> phy, see <xref target="RFC8018"/>.</t>
<t>Conforming applications MUST use unique values for ukm and S in order t <t>Conforming applications <bcp14>MUST</bcp14> use unique values for ukm a
o avoid the encryption of different data on the same keys with the same initiali nd S in order to avoid the encryption of different data on the same keys with th
zation vector.</t> e same initialization vector.</t>
<t>It is RECOMMENDED that parameter S consist of at least 32 octets of pse <t>It is <bcp14>RECOMMENDED</bcp14> that parameter S consist of at least 3
udo-random data in order to reduce the probability of collisions of keys generat 2 octets of pseudorandom data in order to reduce the probability of collisions o
ed from the same password.</t> f keys generated from the same password.</t>
</section> </section>
<section anchor="IANA_Considerations"> <section anchor="IANA_Considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This document makes no requests for IANA action.</t> <t>This document has no IANA actions.</t>
</section> </section>
</middle> </middle>
<back> <back>
<references> <references>
<name>References</name> <name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .0020.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .0020.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8174.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8018.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8018.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .2104.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .2104.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8645.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8645.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .7801.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .7801.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8891.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .8891.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .7836.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .7836.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .6986.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .6986.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC .6070.xml"/>
<reference anchor="GostPkcs5"> <reference anchor="GostPkcs5">
<front> <front>
<title>Information technology. Cryptographic Data Security. Password- <title>Information technology. Cryptographic Data Security. Password-b
based key security.</title> ased key security.</title>
<author initials="E." surname="Karelina" fullname="E. Karelina"> <author initials="A." surname="Potashnikov" fullname="A. Potashnikov
<organization/> ">
</author> <organization/>
<author initials="S." surname="Pianov" fullname="S. Pianov"> </author>
<organization/> <author initials="E." surname="Karelina" fullname="E. Karelina">
</author> <organization/>
<author initials="A." surname="Davletshina" fullname="A. Davletshina" </author>
> <author initials="S." surname="Pianov" fullname="S. Pianov">
<organization/> <organization/>
</author> </author>
</front> <author initials="A." surname="Naumenko" fullname="A. Naumenko">
<refcontent>R 1323565.1.xxx-2022 (work in progress). Federal Agency on <organization/>
Technical Regulating and Metrology (In Russian)</refcontent> </author>
</front>
<refcontent>R 1323565.1.040-2022. Federal Agency on Technical Regulating
and Metrology (In Russian)</refcontent>
</reference> </reference>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC
.6070.xml"/>
</references>
</references> </references>
<section anchor="Example"> <section anchor="Example">
<name>PBKDF2 HMAC_GOSTR3411 Test Vectors</name> <name>PBKDF2 HMAC_GOSTR3411 Test Vectors</name>
<t>These test vectors are formed by analogy with test vectors from <xref t arget="RFC6070"/>. <t>These test vectors are formed by analogy with test vectors from <xref t arget="RFC6070"/>.
The input strings below are encoded using ASCII ( <xref target="RFC0020" /> ). The input strings below are encoded using ASCII (see <xref target="RFC00 20"/>).
The sequence "\0" (without quotation marks) means a literal ASCII NULL The sequence "\0" (without quotation marks) means a literal ASCII NULL
value (1 octet). "DK" refers to the Derived Key.</t> value (1 octet). "DK" refers to the derived key.</t>
<artwork><![CDATA[ <sourcecode type=""><![CDATA[
Input: Input:
P = "password" (8 octets) P = "password" (8 octets)
S = "salt" (4 octets) S = "salt" (4 octets)
c = 1 c = 1
dkLen = 64 dkLen = 64
Output: Output:
DK = 64 77 0a f7 f7 48 c3 b1 c9 ac 83 1d bc fd 85 c2 DK = 64 77 0a f7 f7 48 c3 b1 c9 ac 83 1d bc fd 85 c2
61 11 b3 0a 8a 65 7d dc 30 56 b8 0c a7 3e 04 0d 61 11 b3 0a 8a 65 7d dc 30 56 b8 0c a7 3e 04 0d
28 54 fd 36 81 1f 6d 82 5c c4 ab 66 ec 0a 68 a4 28 54 fd 36 81 1f 6d 82 5c c4 ab 66 ec 0a 68 a4
skipping to change at line 644 skipping to change at line 679
Input: Input:
P = "pass\0word" (9 octets) P = "pass\0word" (9 octets)
S = "sa\0lt" (5 octets) S = "sa\0lt" (5 octets)
c = 4096 c = 4096
dkLen = 64 dkLen = 64
Output: Output:
DK = 50 df 06 28 85 b6 98 01 a3 c1 02 48 eb 0a 27 ab DK = 50 df 06 28 85 b6 98 01 a3 c1 02 48 eb 0a 27 ab
6e 52 2f fe b2 0c 99 1c 66 0f 00 14 75 d7 3a 4e 6e 52 2f fe b2 0c 99 1c 66 0f 00 14 75 d7 3a 4e
16 7f 78 2c 18 e9 7e 92 97 6d 9c 1d 97 08 31 ea 16 7f 78 2c 18 e9 7e 92 97 6d 9c 1d 97 08 31 ea
78 cc b8 79 f6 70 68 cd ac 19 10 74 08 44 e8 30 78 cc b8 79 f6 70 68 cd ac 19 10 74 08 44 e8 30]]></sourcecode>
]]></artwork>
</section> </section>
</back> <section anchor="Acknowledgments" numbered="false">
</rfc> <name>Acknowledgments</name>
<t>The author thanks <contact fullname="Potashnikov Alexander"/>, <contact
fullname="Pianov Semen"/>, <contact fullname="Davletshina Alexandra"/>, <contac
t fullname="Belyavsky Dmitry"/>, and <contact fullname="Smyslov Valery"/> for th
eir careful readings and useful comments.</t>
</section>
</back> </rfc>
 End of changes. 98 change blocks. 
385 lines changed or deleted 388 lines changed or added

This html diff was produced by rfcdiff 1.48.