Skip to main content

6.1. PBES1

6.1. PBES1

PBES1 combines the PBKDF1 function (Section 5.1) with an underlying block cipher, which shall be either DES [NIST46] or RC2 [RFC2268] in cipher block chaining (CBC) mode [NIST81]. PBES1 is compatible with the encryption scheme in PKCS #5 v1.5 [PKCS5_15].

PBES1 is recommended only for compatibility with existing applications, since it supports only two underlying encryption schemes, each of which has a key size (56 or 64 bits) that may not be large enough for some applications.

6.1.1. PBES1 Encryption Operation

The encryption operation for PBES1 consists of the following steps, which encrypt a message M under a password P to produce a ciphertext C:

  1. Select an eight-octet salt S and an iteration count c, as outlined in Section 4.

  2. Apply the PBKDF1 key derivation function (Section 5.1) to the password P, the salt S, and the iteration count c to produce a derived key DK of length 16 octets:

    DK = PBKDF1 (P, S, c, 16)

  3. Separate the derived key DK into an encryption key K consisting of the first eight octets of DK and an initialization vector IV consisting of the next eight octets:

    K   = DK<0..7>
    IV  = DK<8..15>

  4. Concatenate M and a padding string PS to form an encoded message EM:

    EM = M || PS

    where the padding string PS consists of 8-(||M|| mod 8) octets each with value 8-(||M|| mod 8). The padding string PS will satisfy one of the following statements:

    PS = 01, if ||M|| mod 8 = 7 ;
    PS = 02 02, if ||M|| mod 8 = 6 ;
    ...
    PS = 08 08 08 08 08 08 08 08, if ||M|| mod 8 = 0.

    The length in octets of the encoded message will be a multiple of eight, and it will be possible to recover the message M unambiguously from the encoded message. (This padding rule is taken from RFC 1423 [RFC1423].)

  5. Encrypt the encoded message EM with the underlying block cipher (DES or RC2) in CBC mode under the encryption key K with initialization vector IV to produce the ciphertext C. For DES, the key K shall be considered as a 64-bit encoding of a 56-bit DES key with parity bits ignored (see [NIST46]). For RC2, the "effective key bits" shall be 64 bits.

  6. Output the ciphertext C.

The salt S and the iteration count c may be conveyed to the party performing decryption in an AlgorithmIdentifier value (see Appendix A.3).

6.1.2. PBES1 Decryption Operation

The decryption operation for PBES1 consists of the following steps, which decrypt a ciphertext C under a password P to recover a message M:

  1. Obtain the eight-octet salt S and the iteration count c.

  2. Apply the PBKDF1 key derivation function (Section 5.1) to the password P, the salt S, and the iteration count c to produce a derived key DK of length 16 octets:

    DK = PBKDF1 (P, S, c, 16)

  3. Separate the derived key DK into an encryption key K consisting of the first eight octets of DK and an initialization vector IV consisting of the next eight octets:

    K = DK<0..7>
    IV  = DK<8..15>

  4. Decrypt the ciphertext C with the underlying block cipher (DES or RC2) in CBC mode under the encryption key K with initialization vector IV to recover an encoded message EM. If the length in octets of the ciphertext C is not a multiple of eight, output "decryption error" and stop.

  5. Separate the encoded message EM into a message M and a padding string PS:

    EM = M || PS

    where the padding string PS consists of some number psLen octets each with value psLen, where psLen is between 1 and 8. If it is not possible to separate the encoded message EM in this manner, output "decryption error" and stop.

  6. Output the recovered message M.

Last updated on