From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc2437.txt | 2187 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2187 insertions(+) create mode 100644 doc/rfc/rfc2437.txt (limited to 'doc/rfc/rfc2437.txt') diff --git a/doc/rfc/rfc2437.txt b/doc/rfc/rfc2437.txt new file mode 100644 index 0000000..54f6d5d --- /dev/null +++ b/doc/rfc/rfc2437.txt @@ -0,0 +1,2187 @@ + + + + + + +Network Working Group B. Kaliski +Request for Comments: 2437 J. Staddon +Obsoletes: 2313 RSA Laboratories +Category: Informational October 1998 + + + PKCS #1: RSA Cryptography Specifications + Version 2.0 + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (1998). All Rights Reserved. + +Table of Contents + + 1. Introduction.....................................2 + 1.1 Overview.........................................3 + 2. Notation.........................................3 + 3. Key types........................................5 + 3.1 RSA public key...................................5 + 3.2 RSA private key..................................5 + 4. Data conversion primitives.......................6 + 4.1 I2OSP............................................6 + 4.2 OS2IP............................................7 + 5. Cryptographic primitives.........................8 + 5.1 Encryption and decryption primitives.............8 + 5.1.1 RSAEP............................................8 + 5.1.2 RSADP............................................9 + 5.2 Signature and verification primitives...........10 + 5.2.1 RSASP1..........................................10 + 5.2.2 RSAVP1..........................................11 + 6. Overview of schemes.............................11 + 7. Encryption schemes..............................12 + 7.1 RSAES-OAEP......................................13 + 7.1.1 Encryption operation............................13 + 7.1.2 Decryption operation............................14 + 7.2 RSAES-PKCS1-v1_5................................15 + 7.2.1 Encryption operation............................17 + 7.2.2 Decryption operation............................17 + 8. Signature schemes with appendix.................18 + 8.1 RSASSA-PKCS1-v1_5...............................19 + 8.1.1 Signature generation operation..................20 + + + +Kaliski & Staddon Informational [Page 1] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + 8.1.2 Signature verification operation................21 + 9. Encoding methods................................22 + 9.1 Encoding methods for encryption.................22 + 9.1.1 EME-OAEP........................................22 + 9.1.2 EME-PKCS1-v1_5..................................24 + 9.2 Encoding methods for signatures with appendix...26 + 9.2.1 EMSA-PKCS1-v1_5.................................26 + 10. Auxiliary Functions.............................27 + 10.1 Hash Functions..................................27 + 10.2 Mask Generation Functions.......................28 + 10.2.1 MGF1............................................28 + 11. ASN.1 syntax....................................29 + 11.1 Key representation..............................29 + 11.1.1 Public-key syntax...............................30 + 11.1.2 Private-key syntax..............................30 + 11.2 Scheme identification...........................31 + 11.2.1 Syntax for RSAES-OAEP...........................31 + 11.2.2 Syntax for RSAES-PKCS1-v1_5.....................32 + 11.2.3 Syntax for RSASSA-PKCS1-v1_5....................33 + 12 Patent Statement................................33 + 12.1 Patent statement for the RSA algorithm..........34 + 13. Revision history................................35 + 14. References......................................35 + Security Considerations.........................37 + Acknowledgements................................37 + Authors' Addresses..............................38 + Full Copyright Statement........................39 + +1. Introduction + + This memo is the successor to RFC 2313. This document provides + recommendations for the implementation of public-key cryptography + based on the RSA algorithm [18], covering the following aspects: + + -cryptographic primitives + -encryption schemes + -signature schemes with appendix + -ASN.1 syntax for representing keys and for identifying the + schemes + + The recommendations are intended for general application within + computer and communications systems, and as such include a fair + amount of flexibility. It is expected that application standards + based on these specifications may include additional constraints. The + recommendations are intended to be compatible with draft standards + currently being developed by the ANSI X9F1 [1] and IEEE P1363 working + groups [14]. This document supersedes PKCS #1 version 1.5 [20]. + + + + +Kaliski & Staddon Informational [Page 2] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Editor's note. It is expected that subsequent versions of PKCS #1 may + cover other aspects of the RSA algorithm such as key size, key + generation, key validation, and signature schemes with message + recovery. + +1.1 Overview + + The organization of this document is as follows: + + -Section 1 is an introduction. + -Section 2 defines some notation used in this document. + -Section 3 defines the RSA public and private key types. + -Sections 4 and 5 define several primitives, or basic mathematical + operations. Data conversion primitives are in Section 4, and + cryptographic primitives (encryption-decryption, + signature-verification) are in Section 5. + -Section 6, 7 and 8 deal with the encryption and signature schemes + in this document. Section 6 gives an overview. Section 7 defines + an OAEP-based [2] encryption scheme along with the method found + in PKCS #1 v1.5. Section 8 defines a signature scheme with + appendix; the method is identical to that of PKCS #1 v1.5. + -Section 9 defines the encoding methods for the encryption and + signature schemes in Sections 7 and 8. + -Section 10 defines the hash functions and the mask generation + function used in this document. + -Section 11 defines the ASN.1 syntax for the keys defined in + Section 3 and the schemes gives in Sections 7 and 8. + -Section 12 outlines the revision history of PKCS #1. + -Section 13 contains references to other publications and + standards. + +2. Notation + + (n, e) RSA public key + + c ciphertext representative, an integer between 0 and n-1 + + C ciphertext, an octet string + + d private exponent + + dP p's exponent, a positive integer such that: + e(dP)\equiv 1 (mod(p-1)) + + dQ q's exponent, a positive integer such that: + e(dQ)\equiv 1 (mod(q-1)) + + e public exponent + + + +Kaliski & Staddon Informational [Page 3] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + EM encoded message, an octet string + + emLen intended length in octets of an encoded message + + H hash value, an output of Hash + + Hash hash function + + hLen output length in octets of hash function Hash + + K RSA private key + + k length in octets of the modulus + + l intended length of octet string + + lcm(.,.) least common multiple of two + nonnegative integers + + m message representative, an integer between + 0 and n-1 + + M message, an octet string + + MGF mask generation function + + n modulus + + P encoding parameters, an octet string + + p,q prime factors of the modulus + + qInv CRT coefficient, a positive integer less + than p such: q(qInv)\equiv 1 (mod p) + + s signature representative, an integer + between 0 and n-1 + + S signature, an octet string + + x a nonnegative integer + + X an octet string corresponding to x + + \xor bitwise exclusive-or of two octet strings + + \lambda(n) lcm(p-1, q-1), where n = pq + + + + +Kaliski & Staddon Informational [Page 4] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + || concatenation operator + + ||.|| octet length operator + +3. Key types + + Two key types are employed in the primitives and schemes defined in + this document: RSA public key and RSA private key. Together, an RSA + public key and an RSA private key form an RSA key pair. + +3.1 RSA public key + + For the purposes of this document, an RSA public key consists of two + components: + + n, the modulus, a nonnegative integer + e, the public exponent, a nonnegative integer + + In a valid RSA public key, the modulus n is a product of two odd + primes p and q, and the public exponent e is an integer between 3 and + n-1 satisfying gcd (e, \lambda(n)) = 1, where \lambda(n) = lcm (p- + 1,q-1). A recommended syntax for interchanging RSA public keys + between implementations is given in Section 11.1.1; an + implementation's internal representation may differ. + +3.2 RSA private key + + For the purposes of this document, an RSA private key may have either + of two representations. + + 1. The first representation consists of the pair (n, d), where the + components have the following meanings: + + n, the modulus, a nonnegative integer + d, the private exponent, a nonnegative integer + + 2. The second representation consists of a quintuple (p, q, dP, dQ, + qInv), where the components have the following meanings: + + p, the first factor, a nonnegative integer + q, the second factor, a nonnegative integer + dP, the first factor's exponent, a nonnegative integer + dQ, the second factor's exponent, a nonnegative integer + qInv, the CRT coefficient, a nonnegative integer + + In a valid RSA private key with the first representation, the modulus + n is the same as in the corresponding public key and is the product + of two odd primes p and q, and the private exponent d is a positive + + + +Kaliski & Staddon Informational [Page 5] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + integer less than n satisfying: + + ed \equiv 1 (mod \lambda(n)) + + where e is the corresponding public exponent and \lambda(n) is as + defined above. + + In a valid RSA private key with the second representation, the two + factors p and q are the prime factors of the modulus n, the exponents + dP and dQ are positive integers less than p and q respectively + satisfying + + e(dP)\equiv 1(mod(p-1)) + e(dQ)\equiv 1(mod(q-1)), + + and the CRT coefficient qInv is a positive integer less than p + satisfying: + + q(qInv)\equiv 1 (mod p). + + A recommended syntax for interchanging RSA private keys between + implementations, which includes components from both representations, + is given in Section 11.1.2; an implementation's internal + representation may differ. + +4. Data conversion primitives + + Two data conversion primitives are employed in the schemes defined in + this document: + + I2OSP: Integer-to-Octet-String primitive + OS2IP: Octet-String-to-Integer primitive + + For the purposes of this document, and consistent with ASN.1 syntax, an + octet string is an ordered sequence of octets (eight-bit bytes). The + sequence is indexed from first (conventionally, leftmost) to last + (rightmost). For purposes of conversion to and from integers, the first + octet is considered the most significant in the following conversion + primitives + +4.1 I2OSP + + I2OSP converts a nonnegative integer to an octet string of a specified + length. + + I2OSP (x, l) + + + + + +Kaliski & Staddon Informational [Page 6] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Input: + x nonnegative integer to be converted + l intended length of the resulting octet string + + Output: + X corresponding octet string of length l; or + "integer too large" + + Steps: + + 1. If x>=256^l, output "integer too large" and stop. + + 2. Write the integer x in its unique l-digit representation base 256: + + x = x_{l-1}256^{l-1} + x_{l-2}256^{l-2} +... + x_1 256 + x_0 + + where 0 <= x_i < 256 (note that one or more leading digits will be + zero if x < 256^{l-1}). + + 3. Let the octet X_i have the value x_{l-i} for 1 <= i <= l. Output + the octet string: + + X = X_1 X_2 ... X_l. + +4.2 OS2IP + + OS2IP converts an octet string to a nonnegative integer. + + OS2IP (X) + + Input: + X octet string to be converted + + Output: + x corresponding nonnegative integer + + Steps: + + 1. Let X_1 X_2 ... X_l be the octets of X from first to last, and + let x{l-i} have value X_i for 1<= i <= l. + + 2. Let x = x{l-1} 256^{l-1} + x_{l-2} 256^{l-2} +...+ x_1 256 + x_0. + + 3. Output x. + + + + + + + +Kaliski & Staddon Informational [Page 7] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +5. Cryptographic primitives + + Cryptographic primitives are basic mathematical operations on which + cryptographic schemes can be built. They are intended for + implementation in hardware or as software modules, and are not + intended to provide security apart from a scheme. + + Four types of primitive are specified in this document, organized in + pairs: encryption and decryption; and signature and verification. + + The specifications of the primitives assume that certain conditions + are met by the inputs, in particular that public and private keys are + valid. + +5.1 Encryption and decryption primitives + + An encryption primitive produces a ciphertext representative from a + message representative under the control of a public key, and a + decryption primitive recovers the message representative from the + ciphertext representative under the control of the corresponding + private key. + + One pair of encryption and decryption primitives is employed in the + encryption schemes defined in this document and is specified here: + RSAEP/RSADP. RSAEP and RSADP involve the same mathematical operation, + with different keys as input. + + The primitives defined here are the same as in the draft IEEE P1363 + and are compatible with PKCS #1 v1.5. + + The main mathematical operation in each primitive is exponentiation. + +5.1.1 RSAEP + + RSAEP((n, e), m) + + Input: + (n, e) RSA public key + m message representative, an integer between 0 and n-1 + + Output: + c ciphertext representative, an integer between 0 and n-1; + or "message representative out of range" + + Assumptions: public key (n, e) is valid + + Steps: + + + + +Kaliski & Staddon Informational [Page 8] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + 1. If the message representative m is not between 0 and n-1, output + message representative out of range and stop. + + 2. Let c = m^e mod n. + + 3. Output c. + +5.1.2 RSADP + + RSADP (K, c) + + Input: + + K RSA private key, where K has one of the following forms + -a pair (n, d) + -a quintuple (p, q, dP, dQ, qInv) + c ciphertext representative, an integer between 0 and n-1 + + Output: + m message representative, an integer between 0 and n-1; or + "ciphertext representative out of range" + + Assumptions: private key K is valid + + Steps: + + 1. If the ciphertext representative c is not between 0 and n-1, + output "ciphertext representative out of range" and stop. + + 2. If the first form (n, d) of K is used: + + 2.1 Let m = c^d mod n. Else, if the second form (p, q, dP, + dQ, qInv) of K is used: + + 2.2 Let m_1 = c^dP mod p. + + 2.3 Let m_2 = c^dQ mod q. + + 2.4 Let h = qInv ( m_1 - m_2 ) mod p. + + 2.5 Let m = m_2 + hq. + + 3. Output m. + + + + + + + + +Kaliski & Staddon Informational [Page 9] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +5.2 Signature and verification primitives + + A signature primitive produces a signature representative from a + message representative under the control of a private key, and a + verification primitive recovers the message representative from the + signature representative under the control of the corresponding + public key. One pair of signature and verification primitives is + employed in the signature schemes defined in this document and is + specified here: RSASP1/RSAVP1. + + The primitives defined here are the same as in the draft IEEE P1363 + and are compatible with PKCS #1 v1.5. + + The main mathematical operation in each primitive is exponentiation, + as in the encryption and decryption primitives of Section 5.1. RSASP1 + and RSAVP1 are the same as RSADP and RSAEP except for the names of + their input and output arguments; they are distinguished as they are + intended for different purposes. + +5.2.1 RSASP1 + + RSASP1 (K, m) + + Input: + K RSA private key, where K has one of the following + forms: + -a pair (n, d) + -a quintuple (p, q, dP, dQ, qInv) + + m message representative, an integer between 0 and n-1 + + Output: + s signature representative, an integer between 0 and + n-1, or "message representative out of range" + + Assumptions: + private key K is valid + + Steps: + + 1. If the message representative m is not between 0 and n-1, output + "message representative out of range" and stop. + + 2. If the first form (n, d) of K is used: + + 2.1 Let s = m^d mod n. Else, if the second form (p, q, dP, + dQ, qInv) of K is used: + + + + +Kaliski & Staddon Informational [Page 10] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + 2.2 Let s_1 = m^dP mod p. + + 2.3 Let s_2 = m^dQ mod q. + + 2.4 Let h = qInv ( s_1 - s_2 ) mod p. + + 2.5 Let s = s_2 + hq. + + 3. Output S. + +5.2.2 RSAVP1 + + RSAVP1 ((n, e), s) + + Input: + (n, e) RSA public key + s signature representative, an integer between 0 and n-1 + + Output: + m message representative, an integer between 0 and n-1; + or "invalid" + + Assumptions: + public key (n, e) is valid + + Steps: + + 1. If the signature representative s is not between 0 and n-1, output + "invalid" and stop. + + 2. Let m = s^e mod n. + + 3. Output m. + +6. Overview of schemes + + A scheme combines cryptographic primitives and other techniques to + achieve a particular security goal. Two types of scheme are specified + in this document: encryption schemes and signature schemes with + appendix. + + The schemes specified in this document are limited in scope in that + their operations consist only of steps to process data with a key, + and do not include steps for obtaining or validating the key. Thus, + in addition to the scheme operations, an application will typically + include key management operations by which parties may select public + and private keys for a scheme operation. The specific additional + operations and other details are outside the scope of this document. + + + +Kaliski & Staddon Informational [Page 11] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + As was the case for the cryptographic primitives (Section 5), the + specifications of scheme operations assume that certain conditions + are met by the inputs, in particular that public and private keys are + valid. The behavior of an implementation is thus unspecified when a + key is invalid. The impact of such unspecified behavior depends on + the application. Possible means of addressing key validation include + explicit key validation by the application; key validation within the + public-key infrastructure; and assignment of liability for operations + performed with an invalid key to the party who generated the key. + +7. Encryption schemes + + An encryption scheme consists of an encryption operation and a + decryption operation, where the encryption operation produces a + ciphertext from a message with a recipient's public key, and the + decryption operation recovers the message from the ciphertext with + the recipient's corresponding private key. + + An encryption scheme can be employed in a variety of applications. A + typical application is a key establishment protocol, where the + message contains key material to be delivered confidentially from one + party to another. For instance, PKCS #7 [21] employs such a protocol + to deliver a content-encryption key from a sender to a recipient; the + encryption schemes defined here would be suitable key-encryption + algorithms in that context. + + Two encryption schemes are specified in this document: RSAES-OAEP and + RSAES-PKCS1-v1_5. RSAES-OAEP is recommended for new applications; + RSAES-PKCS1-v1_5 is included only for compatibility with existing + applications, and is not recommended for new applications. + + The encryption schemes given here follow a general model similar to + that employed in IEEE P1363, by combining encryption and decryption + primitives with an encoding method for encryption. The encryption + operations apply a message encoding operation to a message to produce + an encoded message, which is then converted to an integer message + representative. An encryption primitive is applied to the message + representative to produce the ciphertext. Reversing this, the + decryption operations apply a decryption primitive to the ciphertext + to recover a message representative, which is then converted to an + octet string encoded message. A message decoding operation is applied + to the encoded message to recover the message and verify the + correctness of the decryption. + + + + + + + + +Kaliski & Staddon Informational [Page 12] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +7.1 RSAES-OAEP + + RSAES-OAEP combines the RSAEP and RSADP primitives (Sections 5.1.1 + and 5.1.2) with the EME-OAEP encoding method (Section 9.1.1) EME-OAEP + is based on the method found in [2]. It is compatible with the IFES + scheme defined in the draft P1363 where the encryption and decryption + primitives are IFEP-RSA and IFDP-RSA and the message encoding method + is EME-OAEP. RSAES-OAEP can operate on messages of length up to k-2- + 2hLen octets, where hLen is the length of the hash function output + for EME-OAEP and k is the length in octets of the recipient's RSA + modulus. Assuming that the hash function in EME-OAEP has appropriate + properties, and the key size is sufficiently large, RSAEP-OAEP + provides "plaintext-aware encryption," meaning that it is + computationally infeasible to obtain full or partial information + about a message from a ciphertext, and computationally infeasible to + generate a valid ciphertext without knowing the corresponding + message. Therefore, a chosen-ciphertext attack is ineffective + against a plaintext-aware encryption scheme such as RSAES-OAEP. + + Both the encryption and the decryption operations of RSAES-OAEP take + the value of the parameter string P as input. In this version of PKCS + #1, P is an octet string that is specified explicitly. See Section + 11.2.1 for the relevant ASN.1 syntax. We briefly note that to receive + the full security benefit of RSAES-OAEP, it should not be used in a + protocol involving RSAES-PKCS1-v1_5. It is possible that in a + protocol on which both encryption schemes are present, an adaptive + chosen ciphertext attack such as [4] would be useful. + + Both the encryption and the decryption operations of RSAES-OAEP take + the value of the parameter string P as input. In this version of PKCS + #1, P is an octet string that is specified explicitly. See Section + 11.2.1 for the relevant ASN.1 syntax. + +7.1.1 Encryption operation + + RSAES-OAEP-ENCRYPT ((n, e), M, P) + + Input: + (n, e) recipient's RSA public key + + M message to be encrypted, an octet string of length at + most k-2-2hLen, where k is the length in octets of the + modulus n and hLen is the length in octets of the hash + function output for EME-OAEP + + P encoding parameters, an octet string that may be empty + + + + + +Kaliski & Staddon Informational [Page 13] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Output: + C ciphertext, an octet string of length k; or "message too + long" + + Assumptions: public key (n, e) is valid + + Steps: + + 1. Apply the EME-OAEP encoding operation (Section 9.1.1.2) to the + message M and the encoding parameters P to produce an encoded message + EM of length k-1 octets: + + EM = EME-OAEP-ENCODE (M, P, k-1) + + If the encoding operation outputs "message too long," then output + "message too long" and stop. + + 2. Convert the encoded message EM to an integer message + representative m: m = OS2IP (EM) + + 3. Apply the RSAEP encryption primitive (Section 5.1.1) to the public + key (n, e) and the message representative m to produce an integer + ciphertext representative c: + + c = RSAEP ((n, e), m) + + 4. Convert the ciphertext representative c to a ciphertext C of + length k octets: C = I2OSP (c, k) + + 5. Output the ciphertext C. + +7.1.2 Decryption operation + + RSAES-OAEP-DECRYPT (K, C, P) + + Input: + K recipient's RSA private key + C ciphertext to be decrypted, an octet string of length + k, where k is the length in octets of the modulus n + P encoding parameters, an octet string that may be empty + + Output: + M message, an octet string of length at most k-2-2hLen, + where hLen is the length in octets of the hash + function output for EME-OAEP; or "decryption error" + + + + + + +Kaliski & Staddon Informational [Page 14] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Steps: + + 1. If the length of the ciphertext C is not k octets, output + "decryption error" and stop. + + 2. Convert the ciphertext C to an integer ciphertext representative + c: c = OS2IP (C). + + 3. Apply the RSADP decryption primitive (Section 5.1.2) to the + private key K and the ciphertext representative c to produce an + integer message representative m: + + m = RSADP (K, c) + + If RSADP outputs "ciphertext out of range," then output "decryption + error" and stop. + + 4. Convert the message representative m to an encoded message EM of + length k-1 octets: EM = I2OSP (m, k-1) + + If I2OSP outputs "integer too large," then output "decryption error" + and stop. + + 5. Apply the EME-OAEP decoding operation to the encoded message EM + and the encoding parameters P to recover a message M: + + M = EME-OAEP-DECODE (EM, P) + + If the decoding operation outputs "decoding error," then output + "decryption error" and stop. + + 6. Output the message M. + + Note. It is important that the error messages output in steps 4 and 5 + be the same, otherwise an adversary may be able to extract useful + information from the type of error message received. Error message + information is used to mount a chosen-ciphertext attack on PKCS #1 + v1.5 encrypted messages in [4]. + +7.2 RSAES-PKCS1-v1_5 + + RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives with the + EME-PKCS1-v1_5 encoding method. It is the same as the encryption + scheme in PKCS #1 v1.5. RSAES-PKCS1-v1_5 can operate on messages of + length up to k-11 octets, although care should be taken to avoid + certain attacks on low-exponent RSA due to Coppersmith, et al. when + long messages are encrypted (see the third bullet in the notes below + and [7]). + + + +Kaliski & Staddon Informational [Page 15] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + RSAES-PKCS1-v1_5 does not provide "plaintext aware" encryption. In + particular, it is possible to generate valid ciphertexts without + knowing the corresponding plaintexts, with a reasonable probability + of success. This ability can be exploited in a chosen ciphertext + attack as shown in [4]. Therefore, if RSAES-PKCS1-v1_5 is to be used, + certain easily implemented countermeasures should be taken to thwart + the attack found in [4]. The addition of structure to the data to be + encoded, rigorous checking of PKCS #1 v1.5 conformance and other + redundancy in decrypted messages, and the consolidation of error + messages in a client-server protocol based on PKCS #1 v1.5 can all be + effective countermeasures and don't involve changes to a PKCS #1 + v1.5-based protocol. These and other countermeasures are discussed in + [5]. + + Notes. The following passages describe some security recommendations + pertaining to the use of RSAES-PKCS1-v1_5. Recommendations from + version 1.5 of this document are included as well as new + recommendations motivated by cryptanalytic advances made in the + intervening years. + + -It is recommended that the pseudorandom octets in EME-PKCS1-v1_5 be + generated independently for each encryption process, especially if + the same data is input to more than one encryption process. Hastad's + results [13] are one motivation for this recommendation. + + -The padding string PS in EME-PKCS1-v1_5 is at least eight octets + long, which is a security condition for public-key operations that + prevents an attacker from recovering data by trying all possible + encryption blocks. + + -The pseudorandom octets can also help thwart an attack due to + Coppersmith et al. [7] when the size of the message to be encrypted + is kept small. The attack works on low-exponent RSA when similar + messages are encrypted with the same public key. More specifically, + in one flavor of the attack, when two inputs to RSAEP agree on a + large fraction of bits (8/9) and low-exponent RSA (e = 3) is used to + encrypt both of them, it may be possible to recover both inputs with + the attack. Another flavor of the attack is successful in decrypting + a single ciphertext when a large fraction (2/3) of the input to RSAEP + is already known. For typical applications, the message to be + encrypted is short (e.g., a 128-bit symmetric key) so not enough + information will be known or common between two messages to enable + the attack. However, if a long message is encrypted, or if part of a + message is known, then the attack may be a concern. In any case, the + RSAEP-OAEP scheme overcomes the attack. + + + + + + +Kaliski & Staddon Informational [Page 16] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +7.2.1 Encryption operation + + RSAES-PKCS1-V1_5-ENCRYPT ((n, e), M) + + Input: + (n, e) recipient's RSA public key + M message to be encrypted, an octet string of length at + most k-11 octets, where k is the length in octets of the + modulus n + + Output: + C ciphertext, an octet string of length k; or "message too + long" + + Steps: + + 1. Apply the EME-PKCS1-v1_5 encoding operation (Section 9.1.2.1) to + the message M to produce an encoded message EM of length k-1 octets: + + EM = EME-PKCS1-V1_5-ENCODE (M, k-1) + + If the encoding operation outputs "message too long," then output + "message too long" and stop. + + 2. Convert the encoded message EM to an integer message + representative m: m = OS2IP (EM) + + 3. Apply the RSAEP encryption primitive (Section 5.1.1) to the public + key (n, e) and the message representative m to produce an integer + ciphertext representative c: c = RSAEP ((n, e), m) + + 4. Convert the ciphertext representative c to a ciphertext C of + length k octets: C = I2OSP (c, k) + + 5. Output the ciphertext C. + +7.2.2 Decryption operation + + RSAES-PKCS1-V1_5-DECRYPT (K, C) + + Input: + K recipient's RSA private key + C ciphertext to be decrypted, an octet string of length k, + where k is the length in octets of the modulus n + + Output: + M message, an octet string of length at most k-11; or + "decryption error" + + + +Kaliski & Staddon Informational [Page 17] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Steps: + + 1. If the length of the ciphertext C is not k octets, output + "decryption error" and stop. + + 2. Convert the ciphertext C to an integer ciphertext representative + c: c = OS2IP (C). + + 3. Apply the RSADP decryption primitive to the private key (n, d) and + the ciphertext representative c to produce an integer message + representative m: m = RSADP ((n, d), c). + + If RSADP outputs "ciphertext out of range," then output "decryption + error" and stop. + + 4. Convert the message representative m to an encoded message EM of + length k-1 octets: EM = I2OSP (m, k-1) + + If I2OSP outputs "integer too large," then output "decryption error" + and stop. + + 5. Apply the EME-PKCS1-v1_5 decoding operation to the encoded message + EM to recover a message M: M = EME-PKCS1-V1_5-DECODE (EM). + + If the decoding operation outputs "decoding error," then output + "decryption error" and stop. + + 6. Output the message M. + + Note. It is important that only one type of error message is output + by EME-PKCS1-v1_5, as ensured by steps 4 and 5. If this is not done, + then an adversary may be able to use information extracted form the + type of error message received to mount a chosen-ciphertext attack + such as the one found in [4]. + +8. Signature schemes with appendix + + A signature scheme with appendix consists of a signature generation + operation and a signature verification operation, where the signature + generation operation produces a signature from a message with a + signer's private key, and the signature verification operation + verifies the signature on the message with the signer's corresponding + public key. To verify a signature constructed with this type of + scheme it is necessary to have the message itself. In this way, + signature schemes with appendix are distinguished from signature + schemes with message recovery, which are not supported in this + document. + + + + +Kaliski & Staddon Informational [Page 18] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + A signature scheme with appendix can be employed in a variety of + applications. For instance, X.509 [6] employs such a scheme to + authenticate the content of a certificate; the signature scheme with + appendix defined here would be a suitable signature algorithm in that + context. A related signature scheme could be employed in PKCS #7 + [21], although for technical reasons, the current version of PKCS #7 + separates a hash function from a signature scheme, which is different + than what is done here. + + One signature scheme with appendix is specified in this document: + RSASSA-PKCS1-v1_5. + + The signature scheme with appendix given here follows a general model + similar to that employed in IEEE P1363, by combining signature and + verification primitives with an encoding method for signatures. The + signature generation operations apply a message encoding operation to + a message to produce an encoded message, which is then converted to + an integer message representative. A signature primitive is then + applied to the message representative to produce the signature. The + signature verification operations apply a signature verification + primitive to the signature to recover a message representative, which + is then converted to an octet string. The message encoding operation + is again applied to the message, and the result is compared to the + recovered octet string. If there is a match, the signature is + considered valid. (Note that this approach assumes that the signature + and verification primitives have the message-recovery form and the + encoding method is deterministic, as is the case for RSASP1/RSAVP1 + and EMSA-PKCS1-v1_5. The signature generation and verification + operations have a different form in P1363 for other primitives and + encoding methods.) + + Editor's note. RSA Laboratories is investigating the possibility of + including a scheme based on the PSS encoding methods specified in + [3], which would be recommended for new applications. + +8.1 RSASSA-PKCS1-v1_5 + + RSASSA-PKCS1-v1_5 combines the RSASP1 and RSAVP1 primitives with the + EME-PKCS1-v1_5 encoding method. It is compatible with the IFSSA + scheme defined in the draft P1363 where the signature and + verification primitives are IFSP-RSA1 and IFVP-RSA1 and the message + encoding method is EMSA-PKCS1-v1_5 (which is not defined in P1363). + The length of messages on which RSASSA-PKCS1-v1_5 can operate is + either unrestricted or constrained by a very large number, depending + on the hash function underlying the message encoding method. + + + + + + +Kaliski & Staddon Informational [Page 19] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Assuming that the hash function in EMSA-PKCS1-v1_5 has appropriate + properties and the key size is sufficiently large, RSASSA-PKCS1-v1_5 + provides secure signatures, meaning that it is computationally + infeasible to generate a signature without knowing the private key, + and computationally infeasible to find a message with a given + signature or two messages with the same signature. Also, in the + encoding method EMSA-PKCS1-v1_5, a hash function identifier is + embedded in the encoding. Because of this feature, an adversary must + invert or find collisions of the particular hash function being used; + attacking a different hash function than the one selected by the + signer is not useful to the adversary. + +8.1.1 Signature generation operation + + RSASSA-PKCS1-V1_5-SIGN (K, M) + Input: + K signer's RSA private ke + M message to be signed, an octet string + + Output: + S signature, an octet string of length k, where k is the + length in octets of the modulus n; "message too long" or + "modulus too short" + Steps: + + 1. Apply the EMSA-PKCS1-v1_5 encoding operation (Section 9.2.1) to + the message M to produce an encoded message EM of length k-1 octets: + + EM = EMSA-PKCS1-V1_5-ENCODE (M, k-1) + + If the encoding operation outputs "message too long," then output + "message too long" and stop. If the encoding operation outputs + "intended encoded message length too short" then output "modulus too + short". + + 2. Convert the encoded message EM to an integer message + representative m: m = OS2IP (EM) + + 3. Apply the RSASP1 signature primitive (Section 5.2.1) to the + private key K and the message representative m to produce an integer + signature representative s: s = RSASP1 (K, m) + + 4. Convert the signature representative s to a signature S of length + k octets: S = I2OSP (s, k) + + 5. Output the signature S. + + + + + +Kaliski & Staddon Informational [Page 20] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +8.1.2 Signature verification operation + + RSASSA-PKCS1-V1_5-VERIFY ((n, e), M, S) + + Input: + (n, e) signer's RSA public key + M message whose signature is to be verified, an octet string + S signature to be verified, an octet string of length k, + where k is the length in octets of the modulus n + + Output: "valid signature," "invalid signature," or "message too + long", or "modulus too short" + + Steps: + + 1. If the length of the signature S is not k octets, output "invalid + signature" and stop. + + 2. Convert the signature S to an integer signature representative s: + + s = OS2IP (S) + + 3. Apply the RSAVP1 verification primitive (Section 5.2.2) to the + public key (n, e) and the signature representative s to produce an + integer message representative m: + + m = RSAVP1 ((n, e), s) If RSAVP1 outputs "invalid" + then output "invalid signature" and stop. + + 4. Convert the message representative m to an encoded message EM of + length k-1 octets: EM = I2OSP (m, k-1) + + If I2OSP outputs "integer too large," then output "invalid signature" + and stop. + + 5. Apply the EMSA-PKCS1-v1_5 encoding operation (Section 9.2.1) to + the message M to produce a second encoded message EM' of length k-1 + octets: + + EM' = EMSA-PKCS1-V1_5-ENCODE (M, k-1) + + If the encoding operation outputs "message too long," then output + "message too long" and stop. If the encoding operation outputs + "intended encoded message length too short" then output "modulus too + short". + + + + + + +Kaliski & Staddon Informational [Page 21] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + 6. Compare the encoded message EM and the second encoded message EM'. + If they are the same, output "valid signature"; otherwise, output + "invalid signature." + +9. Encoding methods + + Encoding methods consist of operations that map between octet string + messages and integer message representatives. + + Two types of encoding method are considered in this document: + encoding methods for encryption, encoding methods for signatures with + appendix. + +9.1 Encoding methods for encryption + + An encoding method for encryption consists of an encoding operation + and a decoding operation. An encoding operation maps a message M to a + message representative EM of a specified length; the decoding + operation maps a message representative EM back to a message. The + encoding and decoding operations are inverses. + + The message representative EM will typically have some structure that + can be verified by the decoding operation; the decoding operation + will output "decoding error" if the structure is not present. The + encoding operation may also introduce some randomness, so that + different applications of the encoding operation to the same message + will produce different representatives. + + Two encoding methods for encryption are employed in the encryption + schemes and are specified here: EME-OAEP and EME-PKCS1-v1_5. + +9.1.1 EME-OAEP + + This encoding method is parameterized by the choice of hash function + and mask generation function. Suggested hash and mask generation + functions are given in Section 10. This encoding method is based on + the method found in [2]. + +9.1.1.1 Encoding operation + + EME-OAEP-ENCODE (M, P, emLen) + + Options: + Hash hash function (hLen denotes the length in octet of the + hash function output) + MGF mask generation function + + + + + +Kaliski & Staddon Informational [Page 22] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Input: + M message to be encoded, an octet string of length at most + emLen-1-2hLen + P encoding parameters, an octet string + emLen intended length in octets of the encoded message, at least + 2hLen+1 + + Output: + EM encoded message, an octet string of length emLen; + "message too long" or "parameter string too long" + + Steps: + + 1. If the length of P is greater than the input limitation for the + hash function (2^61-1 octets for SHA-1) then output "parameter string + too long" and stop. + + 2. If ||M|| > emLen-2hLen-1 then output "message too long" and stop. + + 3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero + octets. The length of PS may be 0. + + 4. Let pHash = Hash(P), an octet string of length hLen. + + 5. Concatenate pHash, PS, the message M, and other padding to form a + data block DB as: DB = pHash || PS || 01 || M + + 6. Generate a random octet string seed of length hLen. + + 7. Let dbMask = MGF(seed, emLen-hLen). + + 8. Let maskedDB = DB \xor dbMask. + + 9. Let seedMask = MGF(maskedDB, hLen). + + 10. Let maskedSeed = seed \xor seedMask. + + 11. Let EM = maskedSeed || maskedDB. + + 12. Output EM. + +9.1.1.2 Decoding operation EME-OAEP-DECODE (EM, P) + + Options: + Hash hash function (hLen denotes the length in octet of the hash + function output) + + MGF mask generation function + + + +Kaliski & Staddon Informational [Page 23] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Input: + + EM encoded message, an octet string of length at least 2hLen+1 + P encoding parameters, an octet string + + Output: + M recovered message, an octet string of length at most + ||EM||-1-2hLen; or "decoding error" + + Steps: + + 1. If the length of P is greater than the input limitation for the + hash function (2^61-1 octets for SHA-1) then output "parameter string + too long" and stop. + + 2. If ||EM|| < 2hLen+1, then output "decoding error" and stop. + + 3. Let maskedSeed be the first hLen octets of EM and let maskedDB be + the remaining ||EM|| - hLen octets. + + 4. Let seedMask = MGF(maskedDB, hLen). + + 5. Let seed = maskedSeed \xor seedMask. + + 6. Let dbMask = MGF(seed, ||EM|| - hLen). + + 7. Let DB = maskedDB \xor dbMask. + + 8. Let pHash = Hash(P), an octet string of length hLen. + + 9. Separate DB into an octet string pHash' consisting of the first + hLen octets of DB, a (possibly empty) octet string PS consisting of + consecutive zero octets following pHash', and a message M as: + + DB = pHash' || PS || 01 || M + + If there is no 01 octet to separate PS from M, output "decoding + error" and stop. + + 10. If pHash' does not equal pHash, output "decoding error" and stop. + + 11. Output M. + +9.1.2 EME-PKCS1-v1_5 + + This encoding method is the same as in PKCS #1 v1.5, Section 8: + Encryption Process. + + + + +Kaliski & Staddon Informational [Page 24] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +9.1.2.1 Encoding operation + + EME-PKCS1-V1_5-ENCODE (M, emLen) + + Input: + M message to be encoded, an octet string of length at most + emLen-10 + emLen intended length in octets of the encoded message + + Output: + EM encoded message, an octet string of length emLen; or + "message too long" + + Steps: + + 1. If the length of the message M is greater than emLen - 10 octets, + output "message too long" and stop. + + 2. Generate an octet string PS of length emLen-||M||-2 consisting of + pseudorandomly generated nonzero octets. The length of PS will be at + least 8 octets. + + 3. Concatenate PS, the message M, and other padding to form the + encoded message EM as: + + EM = 02 || PS || 00 || M + + 4. Output EM. + +9.1.2.2 Decoding operation + + EME-PKCS1-V1_5-DECODE (EM) + + Input: + EM encoded message, an octet string of length at least 10 + + Output: + M recovered message, an octet string of length at most + ||EM||-10; or "decoding error" + + Steps: + + 1. If the length of the encoded message EM is less than 10, output + "decoding error" and stop. + + 2. Separate the encoded message EM into an octet string PS consisting + of nonzero octets and a message M as: EM = 02 || PS || 00 || M. + + + + +Kaliski & Staddon Informational [Page 25] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + If the first octet of EM is not 02, or if there is no 00 octet to + separate PS from M, output "decoding error" and stop. + + 3. If the length of PS is less than 8 octets, output "decoding error" + and stop. + + 4. Output M. + +9.2 Encoding methods for signatures with appendix + + An encoding method for signatures with appendix, for the purposes of + this document, consists of an encoding operation. An encoding + operation maps a message M to a message representative EM of a + specified length. (In future versions of this document, encoding + methods may be added that also include a decoding operation.) + + One encoding method for signatures with appendix is employed in the + encryption schemes and is specified here: EMSA-PKCS1-v1_5. + +9.2.1 EMSA-PKCS1-v1_5 + + This encoding method only has an encoding operation. + + EMSA-PKCS1-v1_5-ENCODE (M, emLen) + + Option: + Hash hash function (hLen denotes the length in octet of the hash + function output) + + Input: + M message to be encoded + emLen intended length in octets of the encoded message, at least + ||T|| + 10, where T is the DER encoding of a certain value + computed during the encoding operation + + Output: + EM encoded message, an octet string of length emLen; or "message + too long" or "intended encoded message length too short" + + Steps: + + 1. Apply the hash function to the message M to produce a hash value + H: + + H = Hash(M). + + If the hash function outputs "message too long," then output "message + too long". + + + +Kaliski & Staddon Informational [Page 26] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + 2. Encode the algorithm ID for the hash function and the hash value + into an ASN.1 value of type DigestInfo (see Section 11) with the + Distinguished Encoding Rules (DER), where the type DigestInfo has the + syntax + + DigestInfo::=SEQUENCE{ + digestAlgorithm AlgorithmIdentifier, + digest OCTET STRING } + + The first field identifies the hash function and the second contains + the hash value. Let T be the DER encoding. + + 3. If emLen is less than ||T|| + 10 then output "intended encoded + message length too short". + + 4. Generate an octet string PS consisting of emLen-||T||-2 octets + with value FF (hexadecimal). The length of PS will be at least 8 + octets. + + 5. Concatenate PS, the DER encoding T, and other padding to form the + encoded message EM as: EM = 01 || PS || 00 || T + + 6. Output EM. + +10. Auxiliary Functions + + This section specifies the hash functions and the mask generation + functions that are mentioned in the encoding methods (Section 9). + +10.1 Hash Functions + + Hash functions are used in the operations contained in Sections 7, 8 + and 9. Hash functions are deterministic, meaning that the output is + completely determined by the input. Hash functions take octet strings + of variable length, and generate fixed length octet strings. The hash + functions used in the operations contained in Sections 7, 8 and 9 + should be collision resistant. This means that it is infeasible to + find two distinct inputs to the hash function that produce the same + output. A collision resistant hash function also has the desirable + property of being one-way; this means that given an output, it is + infeasible to find an input whose hash is the specified output. The + property of collision resistance is especially desirable for RSASSA- + PKCS1-v1_5, as it makes it infeasible to forge signatures. In + addition to the requirements, the hash function should yield a mask + generation function (Section 10.2) with pseudorandom output. + + + + + + +Kaliski & Staddon Informational [Page 27] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Three hash functions are recommended for the encoding methods in this + document: MD2 [15], MD5 [17], and SHA-1 [16]. For the EME-OAEP + encoding method, only SHA-1 is recommended. For the EMSA-PKCS1-v1_5 + encoding method, SHA-1 is recommended for new applications. MD2 and + MD5 are recommended only for compatibility with existing applications + based on PKCS #1 v1.5. + + The hash functions themselves are not defined here; readers are + referred to the appropriate references ([15], [17] and [16]). + + Note. Version 1.5 of this document also allowed for the use of MD4 in + signature schemes. The cryptanalysis of MD4 has progressed + significantly in the intervening years. For example, Dobbertin [10] + demonstrated how to find collisions for MD4 and that the first two + rounds of MD4 are not one-way [11]. Because of these results and + others (e.g. [9]), MD4 is no longer recommended. There have also been + advances in the cryptanalysis of MD2 and MD5, although not enough to + warrant removal from existing applications. Rogier and Chauvaud [19] + demonstrated how to find collisions in a modified version of MD2. No + one has demonstrated how to find collisions for the full MD5 + algorithm, although partial results have been found (e.g. [8]). For + new applications, to address these concerns, SHA-1 is preferred. + +10.2 Mask Generation Functions + + A mask generation function takes an octet string of variable length + and a desired output length as input, and outputs an octet string of + the desired length. There may be restrictions on the length of the + input and output octet strings, but such bounds are generally very + large. Mask generation functions are deterministic; the octet string + output is completely determined by the input octet string. The output + of a mask generation function should be pseudorandom, that is, if the + seed to the function is unknown, it should be infeasible to + distinguish the output from a truly random string. The plaintext- + awareness of RSAES-OAEP relies on the random nature of the output of + the mask generation function, which in turn relies on the random + nature of the underlying hash. + + One mask generation function is recommended for the encoding methods + in this document, and is defined here: MGF1, which is based on a hash + function. Future versions of this document may define other mask + generation functions. + +10.2.1 MGF1 + + MGF1 is a Mask Generation Function based on a hash function. + + MGF1 (Z, l) + + + +Kaliski & Staddon Informational [Page 28] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + Options: + Hash hash function (hLen denotes the length in octets of the hash + function output) + + Input: + Z seed from which mask is generated, an octet string + l intended length in octets of the mask, at most 2^32(hLen) + + Output: + mask mask, an octet string of length l; or "mask too long" + + Steps: + + 1.If l > 2^32(hLen), output "mask too long" and stop. + + 2.Let T be the empty octet string. + + 3.For counter from 0 to \lceil{l / hLen}\rceil-1, do the following: + + a.Convert counter to an octet string C of length 4 with the primitive + I2OSP: C = I2OSP (counter, 4) + + b.Concatenate the hash of the seed Z and C to the octet string T: T = + T || Hash (Z || C) + + 4.Output the leading l octets of T as the octet string mask. + +11. ASN.1 syntax + +11.1 Key representation + + This section defines ASN.1 object identifiers for RSA public and + private keys, and defines the types RSAPublicKey and RSAPrivateKey. + The intended application of these definitions includes X.509 + certificates, PKCS #8 [22], and PKCS #12 [23]. + + The object identifier rsaEncryption identifies RSA public and private + keys as defined in Sections 11.1.1 and 11.1.2. The parameters field + associated with this OID in an AlgorithmIdentifier shall have type + NULL. + + rsaEncryption OBJECT IDENTIFIER ::= {pkcs-1 1} + + All of the definitions in this section are the same as in PKCS #1 + v1.5. + + + + + + +Kaliski & Staddon Informational [Page 29] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +11.1.1 Public-key syntax + + An RSA public key should be represented with the ASN.1 type + RSAPublicKey: + + RSAPublicKey::=SEQUENCE{ + modulus INTEGER, -- n + publicExponent INTEGER -- e } + + (This type is specified in X.509 and is retained here for + compatibility.) + + The fields of type RSAPublicKey have the following meanings: + -modulus is the modulus n. + -publicExponent is the public exponent e. + +11.1.2 Private-key syntax + + An RSA private key should be represented with ASN.1 type + RSAPrivateKey: + + RSAPrivateKey ::= SEQUENCE { + version Version, + modulus INTEGER, -- n + publicExponent INTEGER, -- e + privateExponent INTEGER, -- d + prime1 INTEGER, -- p + prime2 INTEGER, -- q + exponent1 INTEGER, -- d mod (p-1) + exponent2 INTEGER, -- d mod (q-1) + coefficient INTEGER -- (inverse of q) mod p } + + Version ::= INTEGER + + The fields of type RSAPrivateKey have the following meanings: + + -version is the version number, for compatibility with future + revisions of this document. It shall be 0 for this version of the + document. + -modulus is the modulus n. + -publicExponent is the public exponent e. + -privateExponent is the private exponent d. + -prime1 is the prime factor p of n. + -prime2 is the prime factor q of n. + -exponent1 is d mod (p-1). + -exponent2 is d mod (q-1). + -coefficient is the Chinese Remainder Theorem coefficient q-1 mod p. + + + + +Kaliski & Staddon Informational [Page 30] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +11.2 Scheme identification + + This section defines object identifiers for the encryption and + signature schemes. The schemes compatible with PKCS #1 v1.5 have the + same definitions as in PKCS #1 v1.5. The intended application of + these definitions includes X.509 certificates and PKCS #7. + +11.2.1 Syntax for RSAES-OAEP + + The object identifier id-RSAES-OAEP identifies the RSAES-OAEP + encryption scheme. + + id-RSAES-OAEP OBJECT IDENTIFIER ::= {pkcs-1 7} + + The parameters field associated with this OID in an + AlgorithmIdentifier shall have type RSAEP-OAEP-params: + + RSAES-OAEP-params ::= SEQUENCE { + hashFunc [0] AlgorithmIdentifier {{oaepDigestAlgorithms}} + DEFAULT sha1Identifier, + maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}} + DEFAULT mgf1SHA1Identifier, + pSourceFunc [2] AlgorithmIdentifier + {{pkcs1pSourceAlgorithms}} + DEFAULT pSpecifiedEmptyIdentifier } + + The fields of type RSAES-OAEP-params have the following meanings: + + -hashFunc identifies the hash function. It shall be an algorithm ID + with an OID in the set oaepDigestAlgorithms, which for this version + shall consist of id-sha1, identifying the SHA-1 hash function. The + parameters field for id-sha1 shall have type NULL. + + oaepDigestAlgorithms ALGORITHM-IDENTIFIER ::= { + {NULL IDENTIFIED BY id-sha1} } + + id-sha1 OBJECT IDENTIFIER ::= + {iso(1) identified-organization(3) oiw(14) secsig(3) + algorithms(2) 26} + + + The default hash function is SHA-1: + sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL} + + -maskGenFunc identifies the mask generation function. It shall be an + algorithm ID with an OID in the set pkcs1MGFAlgorithms, which for + this version shall consist of id-mgf1, identifying the MGF1 mask + generation function (see Section 10.2.1). The parameters field for + + + +Kaliski & Staddon Informational [Page 31] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + id-mgf1 shall have type AlgorithmIdentifier, identifying the hash + function on which MGF1 is based, where the OID for the hash function + shall be in the set oaepDigestAlgorithms. + + pkcs1MGFAlgorithms ALGORITHM-IDENTIFIER ::= { + {AlgorithmIdentifier {{oaepDigestAlgorithms}} IDENTIFIED + BY id-mgf1} } + + id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8} + + The default mask generation function is MGF1 with SHA-1: + + mgf1SHA1Identifier ::= AlgorithmIdentifier { + id-mgf1, sha1Identifier } + + -pSourceFunc identifies the source (and possibly the value) of the + encoding parameters P. It shall be an algorithm ID with an OID in the + set pkcs1pSourceAlgorithms, which for this version shall consist of + id-pSpecified, indicating that the encoding parameters are specified + explicitly. The parameters field for id-pSpecified shall have type + OCTET STRING, containing the encoding parameters. + + pkcs1pSourceAlgorithms ALGORITHM-IDENTIFIER ::= { + {OCTET STRING IDENTIFIED BY id-pSpecified} } + + id-pSpecified OBJECT IDENTIFIER ::= {pkcs-1 9} + + The default encoding parameters is an empty string (so that pHash in + EME-OAEP will contain the hash of the empty string): + + pSpecifiedEmptyIdentifier ::= AlgorithmIdentifier { + id-pSpecified, OCTET STRING SIZE (0) } + + If all of the default values of the fields in RSAES-OAEP-params are + used, then the algorithm identifier will have the following value: + + RSAES-OAEP-Default-Identifier ::= AlgorithmIdentifier { + id-RSAES-OAEP, + {sha1Identifier, + mgf1SHA1Identifier, + pSpecifiedEmptyIdentifier } } + +11.2.2 Syntax for RSAES-PKCS1-v1_5 + + The object identifier rsaEncryption (Section 11.1) identifies the + RSAES-PKCS1-v1_5 encryption scheme. The parameters field associated + with this OID in an AlgorithmIdentifier shall have type NULL. This is + the same as in PKCS #1 v1.5. + + + +Kaliski & Staddon Informational [Page 32] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + RsaEncryption OBJECT IDENTIFIER ::= {PKCS-1 1} + +11.2.3 Syntax for RSASSA-PKCS1-v1_5 + + The object identifier for RSASSA-PKCS1-v1_5 shall be one of the + following. The choice of OID depends on the choice of hash algorithm: + MD2, MD5 or SHA-1. Note that if either MD2 or MD5 is used then the + OID is just as in PKCS #1 v1.5. For each OID, the parameters field + associated with this OID in an AlgorithmIdentifier shall have type + NULL. + + If the hash function to be used is MD2, then the OID should be: + + md2WithRSAEncryption ::= {PKCS-1 2} + + If the hash function to be used is MD5, then the OID should be: + + md5WithRSAEncryption ::= {PKCS-1 4} + + If the hash function to be used is SHA-1, then the OID should be: + + sha1WithRSAEncryption ::= {pkcs-1 5} + + In the digestInfo type mentioned in Section 9.2.1 the OIDS for the + digest algorithm are the following: + + id-SHA1 OBJECT IDENTIFIER ::= + {iso(1) identified-organization(3) oiw(14) secsig(3) + algorithms(2) 26 } + + md2 OBJECT IDENTIFIER ::= + {iso(1) member-body(2) US(840) rsadsi(113549) + digestAlgorithm(2) 2} + + md5 OBJECT IDENTIFIER ::= + {iso(1) member-body(2) US(840) rsadsi(113549) + digestAlgorithm(2) 5} + + The parameters field of the digest algorithm has ASN.1 type NULL for + these OIDs. + +12. Patent statement + + The Internet Standards Process as defined in RFC 1310 requires a + written statement from the Patent holder that a license will be made + available to applicants under reasonable terms and conditions prior + to approving a specification as a Proposed, Draft or Internet + Standard. + + + +Kaliski & Staddon Informational [Page 33] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + The Internet Society, Internet Architecture Board, Internet + Engineering Steering Group and the Corporation for National Research + Initiatives take no position on the validity or scope of the + following patents and patent applications, nor on the appropriateness + of the terms of the assurance. The Internet Society and other groups + mentioned above have not made any determination as to any other + intellectual property rights which may apply to the practice of this + standard. Any further consideration of these matters is the user's + responsibility. + +12.1 Patent statement for the RSA algorithm + + The Massachusetts Institute of Technology has granted RSA Data + Security, Inc., exclusive sub-licensing rights to the following + patent issued in the United States: + + Cryptographic Communications System and Method ("RSA"), No. 4,405,829 + + RSA Data Security, Inc. has provided the following statement with + regard to this patent: + + It is RSA's business practice to make licenses to its patents + available on reasonable and nondiscriminatory terms. Accordingly, RSA + is willing, upon request, to grant non-exclusive licenses to such + patent on reasonable and non-discriminatory terms and conditions to + those who respect RSA's intellectual property rights and subject to + RSA's then current royalty rate for the patent licensed. The royalty + rate for the RSA patent is presently set at 2% of the licensee's + selling price for each product covered by the patent. Any requests + for license information may be directed to: + + Director of Licensing + RSA Data Security, Inc. + 2955 Campus Drive + Suite 400 + San Mateo, CA 94403 + + A license under RSA's patent(s) does not include any rights to know- + how or other technical information or license under other + intellectual property rights. Such license does not extend to any + activities which constitute infringement or inducement thereto. A + licensee must make his own determination as to whether a license is + necessary under patents of others. + + + + + + + + +Kaliski & Staddon Informational [Page 34] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +13. Revision history + + Versions 1.0-1.3 + + Versions 1.0-1.3 were distributed to participants in RSA Data + Security, Inc.'s Public-Key Cryptography Standards meetings in + February and March 1991. + + + Version 1.4 + + Version 1.4 was part of the June 3, 1991 initial public release of + PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop + document SEC-SIG-91-18. + + + Version 1.5 + + Version 1.5 incorporates several editorial changes, including updates + to the references and the addition of a revision history. The + following substantive changes were made: -Section 10: "MD4 with RSA" + signature and verification processes were added. + + -Section 11: md4WithRSAEncryption object identifier was added. + + Version 2.0 [DRAFT] + + Version 2.0 incorporates major editorial changes in terms of the + document structure, and introduces the RSAEP-OAEP encryption scheme. + This version continues to support the encryption and signature + processes in version 1.5, although the hash algorithm MD4 is no + longer allowed due to cryptanalytic advances in the intervening + years. + +14. References + + [1] ANSI, ANSI X9.44: Key Management Using Reversible Public Key + Cryptography for the Financial Services Industry. Work in + Progress. + + [2] M. Bellare and P. Rogaway. Optimal Asymmetric Encryption - How to + Encrypt with RSA. In Advances in Cryptology-Eurocrypt '94, pp. + 92-111, Springer-Verlag, 1994. + + [3] M. Bellare and P. Rogaway. The Exact Security of Digital + Signatures - How to Sign with RSA and Rabin. In Advances in + Cryptology-Eurocrypt '96, pp. 399-416, Springer-Verlag, 1996. + + + + +Kaliski & Staddon Informational [Page 35] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + [4] D. Bleichenbacher. Chosen Ciphertext Attacks against Protocols + Based on the RSA Encryption Standard PKCS #1. To appear in + Advances in Cryptology-Crypto '98. + + [5] D. Bleichenbacher, B. Kaliski and J. Staddon. Recent Results on + PKCS #1: RSA Encryption Standard. RSA Laboratories' Bulletin, + Number 7, June 24, 1998. + + [6] CCITT. Recommendation X.509: The Directory-Authentication + Framework. 1988. + + [7] D. Coppersmith, M. Franklin, J. Patarin and M. Reiter. Low- + Exponent RSA with Related Messages. In Advances in Cryptology- + Eurocrypt '96, pp. 1-9, Springer-Verlag, 1996 + + [8] B. Den Boer and Bosselaers. Collisions for the Compression + Function of MD5. In Advances in Cryptology-Eurocrypt '93, pp + 293-304, Springer-Verlag, 1994. + + [9] B. den Boer, and A. Bosselaers. An Attack on the Last Two Rounds + of MD4. In Advances in Cryptology-Crypto '91, pp.194-203, + Springer-Verlag, 1992. + + [10] H. Dobbertin. Cryptanalysis of MD4. Fast Software Encryption. + Lecture Notes in Computer Science, Springer-Verlag 1996, pp. + 55-72. + + [11] H. Dobbertin. Cryptanalysis of MD5 Compress. Presented at the + rump session of Eurocrypt `96, May 14, 1996 + + [12] H. Dobbertin.The First Two Rounds of MD4 are Not One-Way. Fast + Software Encryption. Lecture Notes in Computer Science, + Springer-Verlag 1998, pp. 284-292. + + [13] J. Hastad. Solving Simultaneous Modular Equations of Low Degree. + SIAM Journal of Computing, 17, 1988, pp. 336-341. + + [14] IEEE. IEEE P1363: Standard Specifications for Public Key + Cryptography. Draft Version 4. + + [15] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, April + 1992. + + [16] National Institute of Standards and Technology (NIST). FIPS + Publication 180-1: Secure Hash Standard. April 1994. + + [17] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April + 1992. + + + +Kaliski & Staddon Informational [Page 36] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + + [18] R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining + Digital Signatures and Public-Key Cryptosystems. Communications + of the ACM, 21(2), pp. 120-126, February 1978. + + [19] N. Rogier and P. Chauvaud. The Compression Function of MD2 is + not Collision Free. Presented at Selected Areas of Cryptography + `95. Carleton University, Ottawa, Canada. May 18-19, 1995. + + [20] RSA Laboratories. PKCS #1: RSA Encryption Standard. Version 1.5, + November 1993. + + [21] RSA Laboratories. PKCS #7: Cryptographic Message Syntax + Standard. Version 1.5, November 1993. + + [22] RSA Laboratories. PKCS #8: Private-Key Information Syntax + Standard. Version 1.2, November 1993. + + [23] RSA Laboratories. PKCS #12: Personal Information Exchange Syntax + Standard. Version 1.0, Work in Progress, April 1997. + +Security Considerations + + Security issues are discussed throughout this memo. + +Acknowledgements + + This document is based on a contribution of RSA Laboratories, a + division of RSA Data Security, Inc. Any substantial use of the text + from this document must acknowledge RSA Data Security, Inc. RSA Data + Security, Inc. requests that all material mentioning or referencing + this document identify this as "RSA Data Security, Inc. PKCS #1 + v2.0". + + + + + + + + + + + + + + + + + + + +Kaliski & Staddon Informational [Page 37] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +Authors' Addresses + + Burt Kaliski + RSA Laboratories East + 20 Crosby Drive + Bedford, MA 01730 + + Phone: (617) 687-7000 + EMail: burt@rsa.com + + + Jessica Staddon + RSA Laboratories West + 2955 Campus Drive + Suite 400 + San Mateo, CA 94403 + + Phone: (650) 295-7600 + EMail: jstaddon@rsa.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Kaliski & Staddon Informational [Page 38] + +RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998 + + +Full Copyright Statement + + Copyright (C) The Internet Society (1998). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + + + + + + + + + + + + + + + + + + +Kaliski & Staddon Informational [Page 39] + -- cgit v1.2.3