-
Notifications
You must be signed in to change notification settings - Fork 1
/
rfc4648.txt
1011 lines (594 loc) · 34.7 KB
/
rfc4648.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group S. Josefsson
Request for Comments: 4648 SJD
Obsoletes: 3548 October 2006
Category: Standards Track
The Base16, Base32, and Base64 Data Encodings
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes the commonly used base 64, base 32, and base
16 encoding schemes. It also discusses the use of line-feeds in
encoded data, use of padding in encoded data, use of non-alphabet
characters in encoded data, use of different encoding alphabets, and
canonical encodings.
Josefsson Standards Track [Page 1]
RFC 4648 Base-N Encodings October 2006
Table of Contents
1. Introduction ....................................................3
2. Conventions Used in This Document ...............................3
3. Implementation Discrepancies ....................................3
3.1. Line Feeds in Encoded Data .................................3
3.2. Padding of Encoded Data ....................................4
3.3. Interpretation of Non-Alphabet Characters in Encoded Data ..4
3.4. Choosing the Alphabet ......................................4
3.5. Canonical Encoding .........................................5
4. Base 64 Encoding ................................................5
5. Base 64 Encoding with URL and Filename Safe Alphabet ............7
6. Base 32 Encoding ................................................8
7. Base 32 Encoding with Extended Hex Alphabet ....................10
8. Base 16 Encoding ...............................................10
9. Illustrations and Examples .....................................11
10. Test Vectors ..................................................12
11. ISO C99 Implementation of Base64 ..............................14
12. Security Considerations .......................................14
13. Changes Since RFC 3548 ........................................15
14. Acknowledgements ..............................................15
15. Copying Conditions ............................................15
16. References ....................................................16
16.1. Normative References .....................................16
16.2. Informative References ...................................16
Josefsson Standards Track [Page 2]
RFC 4648 Base-N Encodings October 2006
1. Introduction
Base encoding of data is used in many situations to store or transfer
data in environments that, perhaps for legacy reasons, are restricted
to US-ASCII [1] data. Base encoding can also be used in new
applications that do not have legacy restrictions, simply because it
makes it possible to manipulate objects with text editors.
In the past, different applications have had different requirements
and thus sometimes implemented base encodings in slightly different
ways. Today, protocol specifications sometimes use base encodings in
general, and "base64" in particular, without a precise description or
reference. Multipurpose Internet Mail Extensions (MIME) [4] is often
used as a reference for base64 without considering the consequences
for line-wrapping or non-alphabet characters. The purpose of this
specification is to establish common alphabet and encoding
considerations. This will hopefully reduce ambiguity in other
documents, leading to better interoperability.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [2].
3. Implementation Discrepancies
Here we discuss the discrepancies between base encoding
implementations in the past and, where appropriate, mandate a
specific recommended behavior for the future.
3.1. Line Feeds in Encoded Data
MIME [4] is often used as a reference for base 64 encoding. However,
MIME does not define "base 64" per se, but rather a "base 64 Content-
Transfer-Encoding" for use within MIME. As such, MIME enforces a
limit on line length of base 64-encoded data to 76 characters. MIME
inherits the encoding from Privacy Enhanced Mail (PEM) [3], stating
that it is "virtually identical"; however, PEM uses a line length of
64 characters. The MIME and PEM limits are both due to limits within
SMTP.
Implementations MUST NOT add line feeds to base-encoded data unless
the specification referring to this document explicitly directs base
encoders to add line feeds after a specific number of characters.
Josefsson Standards Track [Page 3]
RFC 4648 Base-N Encodings October 2006
3.2. Padding of Encoded Data
In some circumstances, the use of padding ("=") in base-encoded data
is not required or used. In the general case, when assumptions about
the size of transported data cannot be made, padding is required to
yield correct decoded data.
Implementations MUST include appropriate pad characters at the end of
encoded data unless the specification referring to this document
explicitly states otherwise.
The base64 and base32 alphabets use padding, as described below in
sections 4 and 6, but the base16 alphabet does not need it; see
section 8.
3.3. Interpretation of Non-Alphabet Characters in Encoded Data
Base encodings use a specific, reduced alphabet to encode binary
data. Non-alphabet characters could exist within base-encoded data,
caused by data corruption or by design. Non-alphabet characters may
be exploited as a "covert channel", where non-protocol data can be
sent for nefarious purposes. Non-alphabet characters might also be
sent in order to exploit implementation errors leading to, e.g.,
buffer overflow attacks.
Implementations MUST reject the encoded data if it contains
characters outside the base alphabet when interpreting base-encoded
data, unless the specification referring to this document explicitly
states otherwise. Such specifications may instead state, as MIME
does, that characters outside the base encoding alphabet should
simply be ignored when interpreting data ("be liberal in what you
accept"). Note that this means that any adjacent carriage return/
line feed (CRLF) characters constitute "non-alphabet characters" and
are ignored. Furthermore, such specifications MAY ignore the pad
character, "=", treating it as non-alphabet data, if it is present
before the end of the encoded data. If more than the allowed number
of pad characters is found at the end of the string (e.g., a base 64
string terminated with "==="), the excess pad characters MAY also be
ignored.
3.4. Choosing the Alphabet
Different applications have different requirements on the characters
in the alphabet. Here are a few requirements that determine which
alphabet should be used:
Josefsson Standards Track [Page 4]
RFC 4648 Base-N Encodings October 2006
o Handled by humans. The characters "0" and "O" are easily
confused, as are "1", "l", and "I". In the base32 alphabet below,
where 0 (zero) and 1 (one) are not present, a decoder may
interpret 0 as O, and 1 as I or L depending on case. (However, by
default it should not; see previous section.)
o Encoded into structures that mandate other requirements. For base
16 and base 32, this determines the use of upper- or lowercase
alphabets. For base 64, the non-alphanumeric characters (in
particular, "/") may be problematic in file names and URLs.
o Used as identifiers. Certain characters, notably "+" and "/" in
the base 64 alphabet, are treated as word-breaks by legacy text
search/index tools.
There is no universally accepted alphabet that fulfills all the
requirements. For an example of a highly specialized variant, see
IMAP [8]. In this document, we document and name some currently used
alphabets.
3.5. Canonical Encoding
The padding step in base 64 and base 32 encoding can, if improperly
implemented, lead to non-significant alterations of the encoded data.
For example, if the input is only one octet for a base 64 encoding,
then all six bits of the first symbol are used, but only the first
two bits of the next symbol are used. These pad bits MUST be set to
zero by conforming encoders, which is described in the descriptions
on padding below. If this property do not hold, there is no
canonical representation of base-encoded data, and multiple base-
encoded strings can be decoded to the same binary data. If this
property (and others discussed in this document) holds, a canonical
encoding is guaranteed.
In some environments, the alteration is critical and therefore
decoders MAY chose to reject an encoding if the pad bits have not
been set to zero. The specification referring to this may mandate a
specific behaviour.
4. Base 64 Encoding
The following description of base 64 is derived from [3], [4], [5],
and [6]. This encoding may be referred to as "base64".
The Base 64 encoding is designed to represent arbitrary sequences of
octets in a form that allows the use of both upper- and lowercase
letters but that need not be human readable.
Josefsson Standards Track [Page 5]
RFC 4648 Base-N Encodings October 2006
A 65-character subset of US-ASCII is used, enabling 6 bits to be
represented per printable character. (The extra 65th character, "=",
is used to signify a special processing function.)
The encoding process represents 24-bit groups of input bits as output
strings of 4 encoded characters. Proceeding from left to right, a
24-bit input group is formed by concatenating 3 8-bit input groups.
These 24 bits are then treated as 4 concatenated 6-bit groups, each
of which is translated into a single character in the base 64
alphabet.
Each 6-bit group is used as an index into an array of 64 printable
characters. The character referenced by the index is placed in the
output string.
Table 1: The Base 64 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 +
12 M 29 d 46 u 63 /
13 N 30 e 47 v
14 O 31 f 48 w (pad) =
15 P 32 g 49 x
16 Q 33 h 50 y
Special processing is performed if fewer than 24 bits are available
at the end of the data being encoded. A full encoding quantum is
always completed at the end of a quantity. When fewer than 24 input
bits are available in an input group, bits with value zero are added
(on the right) to form an integral number of 6-bit groups. Padding
at the end of the data is performed using the '=' character. Since
all base 64 input is an integral number of octets, only the following
cases can arise:
(1) The final quantum of encoding input is an integral multiple of 24
bits; here, the final unit of encoded output will be an integral
multiple of 4 characters with no "=" padding.
Josefsson Standards Track [Page 6]
RFC 4648 Base-N Encodings October 2006
(2) The final quantum of encoding input is exactly 8 bits; here, the
final unit of encoded output will be two characters followed by
two "=" padding characters.
(3) The final quantum of encoding input is exactly 16 bits; here, the
final unit of encoded output will be three characters followed by
one "=" padding character.
5. Base 64 Encoding with URL and Filename Safe Alphabet
The Base 64 encoding with an URL and filename safe alphabet has been
used in [12].
An alternative alphabet has been suggested that would use "~" as the
63rd character. Since the "~" character has special meaning in some
file system environments, the encoding described in this section is
recommended instead. The remaining unreserved URI character is ".",
but some file system environments do not permit multiple "." in a
filename, thus making the "." character unattractive as well.
The pad character "=" is typically percent-encoded when used in an
URI [9], but if the data length is known implicitly, this can be
avoided by skipping the padding; see section 3.2.
This encoding may be referred to as "base64url". This encoding
should not be regarded as the same as the "base64" encoding and
should not be referred to as only "base64". Unless clarified
otherwise, "base64" refers to the base 64 in the previous section.
This encoding is technically identical to the previous one, except
for the 62:nd and 63:rd alphabet character, as indicated in Table 2.
Josefsson Standards Track [Page 7]
RFC 4648 Base-N Encodings October 2006
Table 2: The "URL and Filename safe" Base 64 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 A 17 R 34 i 51 z
1 B 18 S 35 j 52 0
2 C 19 T 36 k 53 1
3 D 20 U 37 l 54 2
4 E 21 V 38 m 55 3
5 F 22 W 39 n 56 4
6 G 23 X 40 o 57 5
7 H 24 Y 41 p 58 6
8 I 25 Z 42 q 59 7
9 J 26 a 43 r 60 8
10 K 27 b 44 s 61 9
11 L 28 c 45 t 62 - (minus)
12 M 29 d 46 u 63 _
13 N 30 e 47 v (underline)
14 O 31 f 48 w
15 P 32 g 49 x
16 Q 33 h 50 y (pad) =
6. Base 32 Encoding
The following description of base 32 is derived from [11] (with
corrections). This encoding may be referred to as "base32".
The Base 32 encoding is designed to represent arbitrary sequences of
octets in a form that needs to be case insensitive but that need not
be human readable.
A 33-character subset of US-ASCII is used, enabling 5 bits to be
represented per printable character. (The extra 33rd character, "=",
is used to signify a special processing function.)
The encoding process represents 40-bit groups of input bits as output
strings of 8 encoded characters. Proceeding from left to right, a
40-bit input group is formed by concatenating 5 8bit input groups.
These 40 bits are then treated as 8 concatenated 5-bit groups, each
of which is translated into a single character in the base 32
alphabet. When a bit stream is encoded via the base 32 encoding, the
bit stream must be presumed to be ordered with the most-significant-
bit first. That is, the first bit in the stream will be the high-
order bit in the first 8bit byte, the eighth bit will be the low-
order bit in the first 8bit byte, and so on.
Josefsson Standards Track [Page 8]
RFC 4648 Base-N Encodings October 2006
Each 5-bit group is used as an index into an array of 32 printable
characters. The character referenced by the index is placed in the
output string. These characters, identified in Table 3, below, are
selected from US-ASCII digits and uppercase letters.
Table 3: The Base 32 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 A 9 J 18 S 27 3
1 B 10 K 19 T 28 4
2 C 11 L 20 U 29 5
3 D 12 M 21 V 30 6
4 E 13 N 22 W 31 7
5 F 14 O 23 X
6 G 15 P 24 Y (pad) =
7 H 16 Q 25 Z
8 I 17 R 26 2
Special processing is performed if fewer than 40 bits are available
at the end of the data being encoded. A full encoding quantum is
always completed at the end of a body. When fewer than 40 input bits
are available in an input group, bits with value zero are added (on
the right) to form an integral number of 5-bit groups. Padding at
the end of the data is performed using the "=" character. Since all
base 32 input is an integral number of octets, only the following
cases can arise:
(1) The final quantum of encoding input is an integral multiple of 40
bits; here, the final unit of encoded output will be an integral
multiple of 8 characters with no "=" padding.
(2) The final quantum of encoding input is exactly 8 bits; here, the
final unit of encoded output will be two characters followed by
six "=" padding characters.
(3) The final quantum of encoding input is exactly 16 bits; here, the
final unit of encoded output will be four characters followed by
four "=" padding characters.
(4) The final quantum of encoding input is exactly 24 bits; here, the
final unit of encoded output will be five characters followed by
three "=" padding characters.
(5) The final quantum of encoding input is exactly 32 bits; here, the
final unit of encoded output will be seven characters followed by
one "=" padding character.
Josefsson Standards Track [Page 9]
RFC 4648 Base-N Encodings October 2006
7. Base 32 Encoding with Extended Hex Alphabet
The following description of base 32 is derived from [7]. This
encoding may be referred to as "base32hex". This encoding should not
be regarded as the same as the "base32" encoding and should not be
referred to as only "base32". This encoding is used by, e.g.,
NextSECure3 (NSEC3) [10].
One property with this alphabet, which the base64 and base32
alphabets lack, is that encoded data maintains its sort order when
the encoded data is compared bit-wise.
This encoding is identical to the previous one, except for the
alphabet. The new alphabet is found in Table 4.
Table 4: The "Extended Hex" Base 32 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 0 9 9 18 I 27 R
1 1 10 A 19 J 28 S
2 2 11 B 20 K 29 T
3 3 12 C 21 L 30 U
4 4 13 D 22 M 31 V
5 5 14 E 23 N
6 6 15 F 24 O (pad) =
7 7 16 G 25 P
8 8 17 H 26 Q
8. Base 16 Encoding
The following description is original but analogous to previous
descriptions. Essentially, Base 16 encoding is the standard case-
insensitive hex encoding and may be referred to as "base16" or "hex".
A 16-character subset of US-ASCII is used, enabling 4 bits to be
represented per printable character.
The encoding process represents 8-bit groups (octets) of input bits
as output strings of 2 encoded characters. Proceeding from left to
right, an 8-bit input is taken from the input data. These 8 bits are
then treated as 2 concatenated 4-bit groups, each of which is
translated into a single character in the base 16 alphabet.
Each 4-bit group is used as an index into an array of 16 printable
characters. The character referenced by the index is placed in the
output string.
Josefsson Standards Track [Page 10]
RFC 4648 Base-N Encodings October 2006
Table 5: The Base 16 Alphabet
Value Encoding Value Encoding Value Encoding Value Encoding
0 0 4 4 8 8 12 C
1 1 5 5 9 9 13 D
2 2 6 6 10 A 14 E
3 3 7 7 11 B 15 F
Unlike base 32 and base 64, no special padding is necessary since a
full code word is always available.
9. Illustrations and Examples
To translate between binary and a base encoding, the input is stored
in a structure, and the output is extracted. The case for base 64 is
displayed in the following figure, borrowed from [5].
+--first octet--+-second octet--+--third octet--+
|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|
+-----------+---+-------+-------+---+-----------+
|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|
+--1.index--+--2.index--+--3.index--+--4.index--+
The case for base 32 is shown in the following figure, borrowed from
[7]. Each successive character in a base-32 value represents 5
successive bits of the underlying octet sequence. Thus, each group
of 8 characters represents a sequence of 5 octets (40 bits).
1 2 3
01234567 89012345 67890123 45678901 23456789
+--------+--------+--------+--------+--------+
|< 1 >< 2| >< 3 ><|.4 >< 5.|>< 6 ><.|7 >< 8 >|
+--------+--------+--------+--------+--------+
<===> 8th character
<====> 7th character
<===> 6th character
<====> 5th character
<====> 4th character
<===> 3rd character
<====> 2nd character
<===> 1st character
Josefsson Standards Track [Page 11]
RFC 4648 Base-N Encodings October 2006
The following example of Base64 data is from [5], with corrections.
Input data: 0x14fb9c03d97e
Hex: 1 4 f b 9 c | 0 3 d 9 7 e
8-bit: 00010100 11111011 10011100 | 00000011 11011001 01111110
6-bit: 000101 001111 101110 011100 | 000000 111101 100101 111110
Decimal: 5 15 46 28 0 61 37 62
Output: F P u c A 9 l +
Input data: 0x14fb9c03d9
Hex: 1 4 f b 9 c | 0 3 d 9
8-bit: 00010100 11111011 10011100 | 00000011 11011001
pad with 00
6-bit: 000101 001111 101110 011100 | 000000 111101 100100
Decimal: 5 15 46 28 0 61 36
pad with =
Output: F P u c A 9 k =
Input data: 0x14fb9c03
Hex: 1 4 f b 9 c | 0 3
8-bit: 00010100 11111011 10011100 | 00000011
pad with 0000
6-bit: 000101 001111 101110 011100 | 000000 110000
Decimal: 5 15 46 28 0 48
pad with = =
Output: F P u c A w = =
10. Test Vectors
BASE64("") = ""
BASE64("f") = "Zg=="
BASE64("fo") = "Zm8="
BASE64("foo") = "Zm9v"
BASE64("foob") = "Zm9vYg=="
BASE64("fooba") = "Zm9vYmE="
BASE64("foobar") = "Zm9vYmFy"
BASE32("") = ""
BASE32("f") = "MY======"
BASE32("fo") = "MZXQ===="
Josefsson Standards Track [Page 12]
RFC 4648 Base-N Encodings October 2006
BASE32("foo") = "MZXW6==="
BASE32("foob") = "MZXW6YQ="
BASE32("fooba") = "MZXW6YTB"
BASE32("foobar") = "MZXW6YTBOI======"
BASE32-HEX("") = ""
BASE32-HEX("f") = "CO======"
BASE32-HEX("fo") = "CPNG===="
BASE32-HEX("foo") = "CPNMU==="
BASE32-HEX("foob") = "CPNMUOG="
BASE32-HEX("fooba") = "CPNMUOJ1"
BASE32-HEX("foobar") = "CPNMUOJ1E8======"
BASE16("") = ""
BASE16("f") = "66"
BASE16("fo") = "666F"
BASE16("foo") = "666F6F"
BASE16("foob") = "666F6F62"
BASE16("fooba") = "666F6F6261"
BASE16("foobar") = "666F6F626172"
Josefsson Standards Track [Page 13]
RFC 4648 Base-N Encodings October 2006
11. ISO C99 Implementation of Base64
An ISO C99 implementation of Base64 encoding and decoding that is
believed to follow all recommendations in this RFC is available from:
http://josefsson.org/base-encoding/
This code is not normative.
The code could not be included in this RFC for procedural reasons
(RFC 3978 section 5.4).
12. Security Considerations
When base encoding and decoding is implemented, care should be taken
not to introduce vulnerabilities to buffer overflow attacks, or other
attacks on the implementation. A decoder should not break on invalid
input including, e.g., embedded NUL characters (ASCII 0).
If non-alphabet characters are ignored, instead of causing rejection
of the entire encoding (as recommended), a covert channel that can be
used to "leak" information is made possible. The ignored characters
could also be used for other nefarious purposes, such as to avoid a
string equality comparison or to trigger implementation bugs. The
implications of ignoring non-alphabet characters should be understood
in applications that do not follow the recommended practice.
Similarly, when the base 16 and base 32 alphabets are handled case
insensitively, alteration of case can be used to leak information or
make string equality comparisons fail.
When padding is used, there are some non-significant bits that
warrant security concerns, as they may be abused to leak information
or used to bypass string equality comparisons or to trigger
implementation problems.
Base encoding visually hides otherwise easily recognized information,
such as passwords, but does not provide any computational
confidentiality. This has been known to cause security incidents
when, e.g., a user reports details of a network protocol exchange
(perhaps to illustrate some other problem) and accidentally reveals
the password because she is unaware that the base encoding does not
protect the password.
Base encoding adds no entropy to the plaintext, but it does increase
the amount of plaintext available and provide a signature for
cryptanalysis in the form of a characteristic probability
distribution.
Josefsson Standards Track [Page 14]
RFC 4648 Base-N Encodings October 2006
13. Changes Since RFC 3548
Added the "base32 extended hex alphabet", needed to preserve sort
order of encoded data.
Referenced IMAP for the special Base64 encoding used there.
Fixed the example copied from RFC 2440.
Added security consideration about providing a signature for
cryptoanalysis.
Added test vectors.
Fixed typos.
14. Acknowledgements
Several people offered comments and/or suggestions, including John E.
Hadstate, Tony Hansen, Gordon Mohr, John Myers, Chris Newman, and
Andrew Sieber. Text used in this document are based on earlier RFCs
describing specific uses of various base encodings. The author
acknowledges the RSA Laboratories for supporting the work that led to
this document.
This revised version is based in parts on comments and/or suggestions
made by Roy Arends, Eric Blake, Brian E Carpenter, Elwyn Davies, Bill
Fenner, Sam Hartman, Ted Hardie, Per Hygum, Jelte Jansen, Clement
Kent, Tero Kivinen, Paul Kwiatkowski, and Ben Laurie.
15. Copying Conditions
Copyright (c) 2000-2006 Simon Josefsson
Regarding the abstract and sections 1, 3, 8, 10, 12, 13, and 14 of
this document, that were written by Simon Josefsson ("the author",
for the remainder of this section), the author makes no guarantees
and is not responsible for any damage resulting from its use. The
author grants irrevocable permission to anyone to use, modify, and
distribute it in any way that does not diminish the rights of anyone
else to use, modify, and distribute it, provided that redistributed
derivative works do not contain misleading author or version
information and do not falsely purport to be IETF RFC documents.
Derivative works need not be licensed under similar terms.
Josefsson Standards Track [Page 15]
RFC 4648 Base-N Encodings October 2006
16. References
16.1. Normative References
[1] Cerf, V., "ASCII format for network interchange", RFC 20,
October 1969.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
16.2. Informative References
[3] Linn, J., "Privacy Enhancement for Internet Electronic Mail:
Part I: Message Encryption and Authentication Procedures", RFC
1421, February 1993.
[4] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message Bodies",
RFC 2045, November 1996.
[5] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
"OpenPGP Message Format", RFC 2440, November 1998.
[6] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
"DNS Security Introduction and Requirements", RFC 4033, March
2005.
[7] Klyne, G. and L. Masinter, "Identifying Composite Media
Features", RFC 2938, September 2000.
[8] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, March 2003.
[9] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
January 2005.
[10] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNSSEC Hash
Authenticated Denial of Existence", Work in Progress, June
2006.
[11] Myers, J., "SASL GSSAPI mechanisms", Work in Progress, May
2000.
[12] Wilcox-O'Hearn, B., "Post to P2P-hackers mailing list",
http://zgp.org/pipermail/p2p-hackers/2001-September/
000315.html, September 2001.
Josefsson Standards Track [Page 16]
RFC 4648 Base-N Encodings October 2006
Author's Address
Simon Josefsson
SJD
EMail: simon@josefsson.org
Josefsson Standards Track [Page 17]
RFC 4648 Base-N Encodings October 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement