Supplemental list of Password-Based Encryption Algorithms from Tom Gindin on 2002-06-26 (xml-encryption@w3.org from June 2002)

From: Tom Gindin <tgindin@us.ibm.com>
Date: Wed, 26 Jun 2002 08:03:42 -0400
To: xml-encryption@w3.org
Cc: dee3@torque.pothole.com, reagle@w3.org
Message-ID: <OFA91CF53F.6958EE9F-ON85256BE4.00407C56@pok.ibm.com>

      The following is my suggestion for a new subsection of
draft-eastlake-xmldsig-uri.  It is in RTF format ((See attached file:
URISec.rtf)), but the ASCII text is attached at the bottom of this note.
Several features of the draft may need further work or may need to be
changed.  First, there is some question as to the URI space from which the
identifiers should be assigned.  I have provisionally defined a new
subspace which is specific to this use - "2002/06/xmlenc-pbe#".  If it is
felt that the URI's need to match those in the rest of this draft, which
are mainly for signatures, that string can be changed to
"2001/04/xmldsig-more#PBE" wherever it appears in this section.  Second, I
don't know how to define the name space under which the proposed
"InitVector" element will be defined, and I would appreciate someone
correcting its definition.  Here's the RTF format:
      On a minor issue somewhat related to this draft, the identifier for
the ARCFOUR encryption algorithm seems to have a typo in it, with
"xmldsgi-more" in place of "xmldsig-more".  Can this be corrected?

            Tom Gindin

2.7   Password-Based Encryption Algorithms

2.7.1 PKCS#5-based password-based encryption algorithms

      The algorithms specified in this section derive keys (and IV's for
      block ciphers) for their symmetric algorithms using the PBES2 scheme
      specified in section 6.2 of PKCS#5[a] with the PBKDF2 key derivation
      technique specified in section A.2 of PKCS#5[a].  Part of their name
      contains the symmetric encryption algorithm used.  Each of the
      algorithms specified in this section requires a single parameter,
      containing the value of the initialization vector, which should be
      specified using a newly defined element subordinate to
      EncryptionMethodType, to be known as "InitVector", whose type is
      base64Binary.  For variable key length algorithms such as RC2, the
      KeySize element must be used to specify the length of the key.
   Identifiers:
       http://www.w3.org/2002/06/xmlenc-pbe#P5DESEDE3_CBC
       http://www.w3.org/2002/06/xmlenc-pbe#P5RC2_CBC

   An example of use is

<EncryptionMethod
              Algorithm
="http://www.w3.org/2002/06/xmlenc-pbe#P5DESEDE3_CBC">
<??:InitVector">ABCDEFGHIJK="</??:InitVector>
</EncryptionMethod>


2.7.2 PKCS#12-based password-based encryption algorithms

      The algorithms specified in this section derive keys (and IV's for
      block ciphers) for their symmetric algorithms using the techniques
      specified in section B of PKCS#12 [b].  Part of their name contains
      the symmetric encryption algorithm used. For variable key length
      algorithms such as RC2 or RC4, the KeySize element must be used to
      specify the length of the key.

Identifiers:
       http://www.w3.org/2002/06/xmlenc-pbe#P12SHA_3KeyDES_CBC
       http://www.w3.org/2002/06/xmlenc-pbe#P12SHA_RC2_CBC
       http://www.w3.org/2002/06/xmlenc-pbe#P12SHA_RC4_CBC


      References:


      [a] RSA Laboratories, PKCS #5 v2.0: Password-Based Cryptography
      Standard, Mar. 1999.
      [b] RSA Laboratories, PKCS #12 v1.0: Personal Information Exchange
      Syntax, Jun. 1999.

Attachments

application/rtf attachment: URISec.rtf

Received on Wednesday, 26 June 2002 08:04:25 UTC