6.1.1. PBES1 Encryption Operation
6.1.1. PBES1 Encryption Operation
The encryption operation for PBES1 consists of the following steps, which encrypt a message M under a password P to produce a ciphertext C:
-
Select an eight-octet salt S and an iteration count c, as outlined in Section 4.
-
Apply the PBKDF1 key derivation function (Section 5.1) to the password P, the salt S, and the iteration count c to produce a derived key DK of length 16 octets:
DK = PBKDF1 (P, S, c, 16) -
Separate the derived key DK into an encryption key K consisting of the first eight octets of DK and an initialization vector IV consisting of the next eight octets:
K = DK<0..7>
IV = DK<8..15> -
Concatenate M and a padding string PS to form an encoded message EM:
EM = M || PSwhere the padding string PS consists of 8-(||M|| mod 8) octets each with value 8-(||M|| mod 8). The padding string PS will satisfy one of the following statements:
PS = 01, if ||M|| mod 8 = 7 ;
PS = 02 02, if ||M|| mod 8 = 6 ;
...
PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.The length in octets of the encoded message will be a multiple of eight, and it will be possible to recover the message M unambiguously from the encoded message. (This padding rule is taken from RFC 1423 [RFC1423].)
-
Encrypt the encoded message EM with the underlying block cipher (DES or RC2) in CBC mode under the encryption key K with initialization vector IV to produce the ciphertext C. For DES, the key K shall be considered as a 64-bit encoding of a 56-bit DES key with parity bits ignored (see [NIST46]). For RC2, the "effective key bits" shall be 64 bits.
-
Output the ciphertext C.
The salt S and the iteration count c may be conveyed to the party performing decryption in an AlgorithmIdentifier value (see Appendix A.3).