| < draft-hoffman-pkcs-rsa-encrypt-01.txt | draft-hoffman-pkcs-rsa-encrypt-02.txt > | |||
|---|---|---|---|---|
| Internet Draft RSA Laboratories | Internet Draft Burt Kaliski | |||
| Expires 11/5/97 | Expires March 16, 1998 | |||
| <draft-hoffman-pkcs-rsa-encrypt-01.txt> | <draft-hoffman-pkcs-rsa-encrypt-02.txt> | |||
| PKCS #1: RSA Encryption | PKCS #1: RSA Encryption | |||
| Version 1.5 | Version 1.5 | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft. Internet-Drafts are working | This document is an Internet-Draft. Internet-Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its areas, | documents of the Internet Engineering Task Force (IETF), its areas, | |||
| and its working groups. Note that other groups may also distribute | and its working groups. Note that other groups may also distribute | |||
| working documents as Internet-Drafts. | working documents as Internet-Drafts. | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), | Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), | |||
| munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or | munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or | |||
| ftp.isi.edu (US West Coast). | ftp.isi.edu (US West Coast). | |||
| This memo provides information for the Internet community. This memo | This memo provides information for the Internet community. This memo | |||
| does not specify an Internet standard of any kind. Distribution of | does not specify an Internet standard of any kind. Distribution of | |||
| this memo is unlimited. | this memo is unlimited. | |||
| Overview | Overview | |||
| This standard describes a method for encrypting data using the RSA | This document describes a method for encrypting data using the RSA | |||
| public-key cryptosystem. | public-key cryptosystem. | |||
| Please note: The information in this document is historical material | ||||
| being published for the public record. It is not an IETF standard. | ||||
| The use of the word "standard" in this document indicates a standard | ||||
| for RSA Laboratories and its customers, not an IETF standard. | ||||
| 1. Scope | 1. Scope | |||
| This standard describes a method for encrypting data using the RSA | This document describes a method for encrypting data using the RSA | |||
| public-key cryptosystem. Its intended use is in the construction of | public-key cryptosystem. Its intended use is in the construction of | |||
| digital signatures and digital envelopes, as described in PKCS #7: | digital signatures and digital envelopes, as described in PKCS #7: | |||
| o For digital signatures, the content to be signed | o For digital signatures, the content to be signed | |||
| PKCS #1: RSA Encryption | ||||
| is first reduced to a message digest with a | is first reduced to a message digest with a | |||
| message-digest algorithm (such as MD5), and then | message-digest algorithm (such as MD5), and then | |||
| an octet string containing the message digest is | an octet string containing the message digest is | |||
| encrypted with the RSA private key of the signer | encrypted with the RSA private key of the signer | |||
| of the content. The content and the encrypted | of the content. The content and the encrypted | |||
| message digest are represented together according | message digest are represented together according | |||
| to the syntax in PKCS #7 to yield a digital | to the syntax in PKCS #7 to yield a digital | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| signature. This application is compatible with | signature. This application is compatible with | |||
| Privacy-Enhanced Mail (PEM) methods. | Privacy-Enhanced Mail (PEM) methods. | |||
| o For digital envelopes, the content to be enveloped | o For digital envelopes, the content to be enveloped | |||
| is first encrypted under a content-encryption key | is first encrypted under a content-encryption key | |||
| with a content-encryption algorithm (such as DES), | with a content-encryption algorithm (such as DES), | |||
| and then the content-encryption key is encrypted | and then the content-encryption key is encrypted | |||
| with the RSA public keys of the recipients of the | with the RSA public keys of the recipients of the | |||
| content. The encrypted content and the encrypted | content. The encrypted content and the encrypted | |||
| content-encryption key are represented together | content-encryption key are represented together | |||
| according to the syntax in PKCS #7 to yield a | according to the syntax in PKCS #7 to yield a | |||
| digital envelope. This application is also | digital envelope. This application is also | |||
| compatible with PEM methods. | compatible with PEM methods. | |||
| The standard also describes a syntax for RSA public keys and private | The document also describes a syntax for RSA public keys and private | |||
| keys. The public-key syntax would be used in certificates; the | keys. The public-key syntax would be used in certificates; the | |||
| private-key syntax would be used typically in PKCS #8 private-key | private-key syntax would be used typically in PKCS #8 private-key | |||
| information. The public-key syntax is identical to that in both X.509 | information. The public-key syntax is identical to that in both X.509 | |||
| and Privacy-Enhanced Mail. Thus X.509/PEM RSA keys can be used in | and Privacy-Enhanced Mail. Thus X.509/PEM RSA keys can be used in | |||
| this standard. | this document. | |||
| The standard also defines three signature algorithms for use in | The document also defines three signature algorithms for use in | |||
| signing X.509/PEM certificates and certificate-revocation lists, PKCS | signing X.509/PEM certificates and certificate-revocation lists, PKCS | |||
| #6 extended certificates, and other objects employing digital | #6 extended certificates, and other objects employing digital | |||
| signatures such as X.401 message tokens. | signatures such as X.401 message tokens. | |||
| Details on message-digest and content-encryption algorithms are | Details on message-digest and content-encryption algorithms are | |||
| outside the scope of this standard, as are details on sources of the | outside the scope of this document, as are details on sources of the | |||
| pseudorandom bits required by certain methods in this standard. | pseudorandom bits required by certain methods in this document. | |||
| 2. References | 2. References | |||
| FIPS PUB 46-1 National Bureau of Standards. FIPS PUB 46-1: | FIPS PUB 46-1 National Bureau of Standards. FIPS PUB 46-1: | |||
| Data Encryption Standard. January 1988. | Data Encryption Standard. January 1988. | |||
| PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate | PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate | |||
| Syntax Standard. Version 1.5, November 1993. | Syntax. Version 1.5, November 1993. | |||
| PKCS #7 RSA Laboratories. PKCS #7: Cryptographic Message | PKCS #7 RSA Laboratories. PKCS #7: Cryptographic Message | |||
| Syntax Standard. Version 1.5, November 1993. | Syntax. Version 1.5, November 1993. | |||
| PKCS #1: RSA Encryption | ||||
| PKCS #8 RSA Laboratories. PKCS #8: Private-Key Information | PKCS #8 RSA Laboratories. PKCS #8: Private-Key Information | |||
| Syntax Standard. Version 1.2, November 1993. | Syntax. Version 1.2, November 1993. | |||
| RFC 1319 B. Kaliski. RFC 1319: The MD2 Message-Digest | RFC 1319 B. Kaliski. RFC 1319: The MD2 Message-Digest | |||
| Algorithm. April 1992. | Algorithm. April 1992. | |||
| RFC 1320 R. Rivest. RFC 1320: The MD4 Message-Digest | RFC 1320 R. Rivest. RFC 1320: The MD4 Message-Digest | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| Algorithm. April 1992. | Algorithm. April 1992. | |||
| RFC 1321 R. Rivest. RFC 1321: The MD5 Message-Digest | RFC 1321 R. Rivest. RFC 1321: The MD5 Message-Digest | |||
| Algorithm. April 1992. | Algorithm. April 1992. | |||
| RFC 1423 D. Balenson. RFC 1423: Privacy Enhancement for | RFC 1423 D. Balenson. RFC 1423: Privacy Enhancement for | |||
| Internet Electronic Mail: Part III: Algorithms, | Internet Electronic Mail: Part III: Algorithms, | |||
| Modes, and Identifiers. February 1993. | Modes, and Identifiers. February 1993. | |||
| X.208 CCITT. Recommendation X.208: Specification of | X.208 CCITT. Recommendation X.208: Specification of | |||
| skipping to change at page 4, line 4 ¶ | skipping to change at page 3, line 48 ¶ | |||
| EUROCRYPT '93 (Lofthus, Norway, May 24-27, 1993). | EUROCRYPT '93 (Lofthus, Norway, May 24-27, 1993). | |||
| [DO86] Y. Desmedt and A.M. Odlyzko. A chosen text attack | [DO86] Y. Desmedt and A.M. Odlyzko. A chosen text attack | |||
| on the RSA cryptosystem and some discrete | on the RSA cryptosystem and some discrete | |||
| logarithm schemes. In H.C. Williams, editor, | logarithm schemes. In H.C. Williams, editor, | |||
| Advances in Cryptology---CRYPTO '85 Proceedings, | Advances in Cryptology---CRYPTO '85 Proceedings, | |||
| volume 218 of Lecture Notes in Computer Science, | volume 218 of Lecture Notes in Computer Science, | |||
| pages 516-521. Springer-Verlag, New York, 1986. | pages 516-521. Springer-Verlag, New York, 1986. | |||
| [Has88] Johan Hastad. Solving simultaneous modular | [Has88] Johan Hastad. Solving simultaneous modular | |||
| PKCS #1: RSA Encryption | ||||
| equations. SIAM Journal on Computing, | equations. SIAM Journal on Computing, | |||
| 17(2):336-341, April 1988. | 17(2):336-341, April 1988. | |||
| [IM90] Colin I'Anson and Chris Mitchell. Security defects | [IM90] Colin I'Anson and Chris Mitchell. Security defects | |||
| in CCITT Recommendation X.509--The directory | in CCITT Recommendation X.509--The directory | |||
| authentication framework. Computer Communications | authentication framework. Computer Communications | |||
| Review, :30-34, April 1990. | Review, :30-34, April 1990. | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| [Mer90] R.C. Merkle. Note on MD4. Unpublished manuscript, | [Mer90] R.C. Merkle. Note on MD4. Unpublished manuscript, | |||
| 1990. | 1990. | |||
| [Mil76] G.L. Miller. Riemann's hypothesis and tests for | [Mil76] G.L. Miller. Riemann's hypothesis and tests for | |||
| primality. Journal of Computer and Systems | primality. Journal of Computer and Systems | |||
| Sciences, 13(3):300-307, 1976. | Sciences, 13(3):300-307, 1976. | |||
| [QC82] J.-J. Quisquater and C. Couvreur. Fast | [QC82] J.-J. Quisquater and C. Couvreur. Fast | |||
| decipherment algorithm for RSA public-key | decipherment algorithm for RSA public-key | |||
| cryptosystem. Electronics Letters, 18(21):905-907, | cryptosystem. Electronics Letters, 18(21):905-907, | |||
| October 1982. | October 1982. | |||
| [RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method | [RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method | |||
| for obtaining digital signatures and public-key | for obtaining digital signatures and public-key | |||
| cryptosystems. Communications of the ACM, | cryptosystems. Communications of the ACM, | |||
| 21(2):120-126, February 1978. | 21(2):120-126, February 1978. | |||
| 3. Definitions | 3. Definitions | |||
| For the purposes of this standard, the following definitions apply. | For the purposes of this document, the following definitions apply. | |||
| AlgorithmIdentifier: A type that identifies an algorithm (by object | AlgorithmIdentifier: A type that identifies an algorithm (by object | |||
| identifier) and associated parameters. This type is defined in X.509. | identifier) and associated parameters. This type is defined in X.509. | |||
| ASN.1: Abstract Syntax Notation One, as defined in X.208. | ASN.1: Abstract Syntax Notation One, as defined in X.208. | |||
| BER: Basic Encoding Rules, as defined in X.209. | BER: Basic Encoding Rules, as defined in X.209. | |||
| DES: Data Encryption Standard, as defined in FIPS PUB 46-1. | DES: Data Encryption Standard, as defined in FIPS PUB 46-1. | |||
| skipping to change at page 5, line 5 ¶ | skipping to change at page 4, line 48 ¶ | |||
| defined in RFC 1319. | defined in RFC 1319. | |||
| MD4: RSA Data Security, Inc.'s MD4 message-digest algorithm, as | MD4: RSA Data Security, Inc.'s MD4 message-digest algorithm, as | |||
| defined in RFC 1320. | defined in RFC 1320. | |||
| MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as | MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as | |||
| defined in RFC 1321. | defined in RFC 1321. | |||
| modulus: Integer constructed as the product of two primes. | modulus: Integer constructed as the product of two primes. | |||
| PKCS #1: RSA Encryption | ||||
| PEM: Internet Privacy-Enhanced Mail, as defined in RFC 1423 and | PEM: Internet Privacy-Enhanced Mail, as defined in RFC 1423 and | |||
| related documents. | related documents. | |||
| RSA: The RSA public-key cryptosystem, as defined in [RSA78]. | RSA: The RSA public-key cryptosystem, as defined in [RSA78]. | |||
| private key: Modulus and private exponent. | private key: Modulus and private exponent. | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| public key: Modulus and public exponent. | public key: Modulus and public exponent. | |||
| 4. Symbols and abbreviations | 4. Symbols and abbreviations | |||
| Upper-case italic symbols (e.g., BT) denote octet strings and bit | Upper-case symbols (e.g., BT) denote octet strings and bit strings | |||
| strings (in the case of the signature S); lower-case italic symbols | (in the case of the signature S); lower-case symbols (e.g., c) denote | |||
| (e.g., c) denote integers. | integers. | |||
| ab hexadecimal octet value c exponent | ab hexadecimal octet value c exponent | |||
| BT block type d private exponent | BT block type d private exponent | |||
| D data e public exponent | D data e public exponent | |||
| EB encryption block k length of modulus in | EB encryption block k length of modulus in | |||
| octets | octets | |||
| ED encrypted data n modulus | ED encrypted data n modulus | |||
| M message p, q prime factors of modulus | M message p, q prime factors of modulus | |||
| MD message digest x integer encryption block | MD message digest x integer encryption block | |||
| MD' comparative message y integer encrypted data | MD' comparative message y integer encrypted data | |||
| skipping to change at page 6, line 4 ¶ | skipping to change at page 5, line 48 ¶ | |||
| Thus the encryption process can be either a public-key operation or a | Thus the encryption process can be either a public-key operation or a | |||
| private-key operation, and so can the decryption process. Both | private-key operation, and so can the decryption process. Both | |||
| processes transform an octet string to another octet string. The | processes transform an octet string to another octet string. The | |||
| processes are inverses of each other if one process uses an entity's | processes are inverses of each other if one process uses an entity's | |||
| public key and the other process uses the same entity's private key. | public key and the other process uses the same entity's private key. | |||
| The encryption and decryption processes can implement either the | The encryption and decryption processes can implement either the | |||
| classic RSA transformations, or variations with padding. | classic RSA transformations, or variations with padding. | |||
| 6. Key generation | 6. Key generation | |||
| PKCS #1: RSA Encryption | ||||
| This section describes RSA key generation. | This section describes RSA key generation. | |||
| Each entity shall select a positive integer e as its public exponent. | Each entity shall select a positive integer e as its public exponent. | |||
| Each entity shall privately and randomly select two distinct odd | Each entity shall privately and randomly select two distinct odd | |||
| primes p and q such that (p-1) and e have no common divisors, and | primes p and q such that (p-1) and e have no common divisors, and | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| (q-1) and e have no common divisors. | (q-1) and e have no common divisors. | |||
| The public modulus n shall be the product of the private prime | The public modulus n shall be the product of the private prime | |||
| factors p and q: | factors p and q: | |||
| n = pq . | n = pq . | |||
| The private exponent shall be a positive integer d such that de-1 is | The private exponent shall be a positive integer d such that de-1 is | |||
| divisible by both p-1 and q-1. | divisible by both p-1 and q-1. | |||
| The length of the modulus n in octets is the integer k satisfying | The length of the modulus n in octets is the integer k satisfying | |||
| 2^(8(k-1)) <= n < 2^(8k) . | 2^(8(k-1)) <= n < 2^(8k) . | |||
| The length k of the modulus must be at least 12 octets to accommodate | The length k of the modulus must be at least 12 octets to accommodate | |||
| the block formats in this standard (see Section 8). | the block formats in this document (see Section 8). | |||
| Notes. | Notes. | |||
| 1. The public exponent may be standardized in | 1. The public exponent may be standardized in | |||
| specific applications. The values 3 and F4 (65537) | specific applications. The values 3 and F4 (65537) | |||
| may have some practical advantages, as noted in | may have some practical advantages, as noted in | |||
| X.509 Annex C. | X.509 Annex C. | |||
| 2. Some additional conditions on the choice of primes | 2. Some additional conditions on the choice of primes | |||
| may well be taken into account in order to deter | may well be taken into account in order to deter | |||
| factorization of the modulus. These security | factorization of the modulus. These security | |||
| conditions fall outside the scope of this | conditions fall outside the scope of this | |||
| standard. The lower bound on the length k is to | document. The lower bound on the length k is to | |||
| accommodate the block formats, not for security. | accommodate the block formats, not for security. | |||
| 7. Key syntax | 7. Key syntax | |||
| This section gives the syntax for RSA public and private keys. | This section gives the syntax for RSA public and private keys. | |||
| 7.1 Public-key syntax | 7.1 Public-key syntax | |||
| An RSA public key shall have ASN.1 type RSAPublicKey: | An RSA public key shall have ASN.1 type RSAPublicKey: | |||
| RSAPublicKey ::= SEQUENCE { | RSAPublicKey ::= SEQUENCE { | |||
| modulus INTEGER, -- n | modulus INTEGER, -- n | |||
| publicExponent INTEGER -- e } | publicExponent INTEGER -- e } | |||
| PKCS #1: RSA Encryption | ||||
| (This type is specified in X.509 and is retained here for | (This type is specified in X.509 and is retained here for | |||
| compatibility.) | compatibility.) | |||
| The fields of type RSAPublicKey have the following meanings: | The fields of type RSAPublicKey have the following meanings: | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| o modulus is the modulus n. | o modulus is the modulus n. | |||
| o publicExponent is the public exponent e. | o publicExponent is the public exponent e. | |||
| 7.2 Private-key syntax | 7.2 Private-key syntax | |||
| An RSA private key shall have ASN.1 type RSAPrivateKey: | An RSA private key shall have ASN.1 type RSAPrivateKey: | |||
| RSAPrivateKey ::= SEQUENCE { | RSAPrivateKey ::= SEQUENCE { | |||
| version Version, | version Version, | |||
| skipping to change at page 7, line 36 ¶ | skipping to change at page 7, line 31 ¶ | |||
| prime2 INTEGER, -- q | prime2 INTEGER, -- q | |||
| exponent1 INTEGER, -- d mod (p-1) | exponent1 INTEGER, -- d mod (p-1) | |||
| exponent2 INTEGER, -- d mod (q-1) | exponent2 INTEGER, -- d mod (q-1) | |||
| coefficient INTEGER -- (inverse of q) mod p } | coefficient INTEGER -- (inverse of q) mod p } | |||
| Version ::= INTEGER | Version ::= INTEGER | |||
| The fields of type RSAPrivateKey have the following meanings: | The fields of type RSAPrivateKey have the following meanings: | |||
| o version is the version number, for compatibility | o version is the version number, for compatibility | |||
| with future revisions of this standard. It shall | with future revisions of this document. It shall | |||
| be 0 for this version of the standard. | be 0 for this version of the document. | |||
| o modulus is the modulus n. | o modulus is the modulus n. | |||
| o publicExponent is the public exponent e. | o publicExponent is the public exponent e. | |||
| o privateExponent is the private exponent d. | o privateExponent is the private exponent d. | |||
| o prime1 is the prime factor p of n. | o prime1 is the prime factor p of n. | |||
| o prime2 is the prime factor q of n. | o prime2 is the prime factor q of n. | |||
| o exponent1 is d mod (p-1). | o exponent1 is d mod (p-1). | |||
| o exponent2 is d mod (q-1). | o exponent2 is d mod (q-1). | |||
| o coefficient is the Chinese Remainder Theorem | o coefficient is the Chinese Remainder Theorem | |||
| coefficient q-1 mod p. | coefficient q-1 mod p. | |||
| PKCS #1: RSA Encryption | ||||
| Notes. | Notes. | |||
| 1. An RSA private key logically consists of only the | 1. An RSA private key logically consists of only the | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| modulus n and the private exponent d. The presence | modulus n and the private exponent d. The presence | |||
| of the values p, q, d mod (p-1), d mod (p-1), and | of the values p, q, d mod (p-1), d mod (p-1), and | |||
| q-1 mod p is intended for efficiency, as | q-1 mod p is intended for efficiency, as | |||
| Quisquater and Couvreur have shown [QC82]. A | Quisquater and Couvreur have shown [QC82]. A | |||
| private-key syntax that does not include all the | private-key syntax that does not include all the | |||
| extra values can be converted readily to the | extra values can be converted readily to the | |||
| syntax defined here, provided the public key is | syntax defined here, provided the public key is | |||
| known, according to a result by Miller [Mil76]. | known, according to a result by Miller [Mil76]. | |||
| 2. The presence of the public exponent e is intended | 2. The presence of the public exponent e is intended | |||
| skipping to change at page 8, line 44 ¶ | skipping to change at page 8, line 41 ¶ | |||
| from the encryption process shall be an octet string ED, the | from the encryption process shall be an octet string ED, the | |||
| encrypted data. | encrypted data. | |||
| The length of the data D shall not be more than k-11 octets, which is | The length of the data D shall not be more than k-11 octets, which is | |||
| positive since the length k of the modulus is at least 12 octets. | positive since the length k of the modulus is at least 12 octets. | |||
| This limitation guarantees that the length of the padding string PS | This limitation guarantees that the length of the padding string PS | |||
| is at least eight octets, which is a security condition. | is at least eight octets, which is a security condition. | |||
| Notes. | Notes. | |||
| 1. In typical applications of this standard to | 1. In typical applications of this document to | |||
| encrypt content-encryption keys and message | encrypt content-encryption keys and message | |||
| digests, one would have ||D|| <= 30. Thus the | digests, one would have ||D|| <= 30. Thus the | |||
| length of the RSA modulus will need to be at least | length of the RSA modulus will need to be at least | |||
| 328 bits (41 octets), which is reasonable and | 328 bits (41 octets), which is reasonable and | |||
| consistent with security recommendations. | consistent with security recommendations. | |||
| 2. The encryption process does not provide an | 2. The encryption process does not provide an | |||
| explicit integrity check to facilitate error | explicit integrity check to facilitate error | |||
| detection should the encrypted data be corrupted | detection should the encrypted data be corrupted | |||
| PKCS #1: RSA Encryption | ||||
| in transmission. However, the structure of the | in transmission. However, the structure of the | |||
| encryption block guarantees that the probability | encryption block guarantees that the probability | |||
| that corruption is undetected is less than 2-16, | that corruption is undetected is less than 2-16, | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| which is an upper bound on the probability that a | which is an upper bound on the probability that a | |||
| random encryption block looks like block type 02. | random encryption block looks like block type 02. | |||
| 3. Application of private-key operations as defined | 3. Application of private-key operations as defined | |||
| here to data other than an octet string containing | here to data other than an octet string containing | |||
| a message digest is not recommended and is subject | a message digest is not recommended and is subject | |||
| to further study. | to further study. | |||
| 4. This standard may be extended to handle data of | 4. This document may be extended to handle data of | |||
| length more than k-11 octets. | length more than k-11 octets. | |||
| 8.1 Encryption-block formatting | 8.1 Encryption-block formatting | |||
| A block type BT, a padding string PS, and the data D shall be | A block type BT, a padding string PS, and the data D shall be | |||
| formatted into an octet string EB, the encryption block. | formatted into an octet string EB, the encryption block. | |||
| EB = 00 || BT || PS || 00 || D . (1) | EB = 00 || BT || PS || 00 || D . (1) | |||
| The block type BT shall be a single octet indicating the structure of | The block type BT shall be a single octet indicating the structure of | |||
| the encryption block. For this version of the standard it shall have | the encryption block. For this version of the document it shall have | |||
| value 00, 01, or 02. For a private- key operation, the block type | value 00, 01, or 02. For a private- key operation, the block type | |||
| shall be 00 or 01. For a public-key operation, it shall be 02. | shall be 00 or 01. For a public-key operation, it shall be 02. | |||
| The padding string PS shall consist of k-3-||D|| octets. For block | The padding string PS shall consist of k-3-||D|| octets. For block | |||
| type 00, the octets shall have value 00; for block type 01, they | type 00, the octets shall have value 00; for block type 01, they | |||
| shall have value FF; and for block type 02, they shall be | shall have value FF; and for block type 02, they shall be | |||
| pseudorandomly generated and nonzero. This makes the length of the | pseudorandomly generated and nonzero. This makes the length of the | |||
| encryption block EB equal to k. | encryption block EB equal to k. | |||
| Notes. | Notes. | |||
| skipping to change at page 10, line 5 ¶ | skipping to change at page 9, line 51 ¶ | |||
| 2. For block type 00, the data D must begin with a | 2. For block type 00, the data D must begin with a | |||
| nonzero octet or have known length so that the | nonzero octet or have known length so that the | |||
| encryption block can be parsed unambiguously. For | encryption block can be parsed unambiguously. For | |||
| block types 01 and 02, the encryption block can be | block types 01 and 02, the encryption block can be | |||
| parsed unambiguously since the padding string PS | parsed unambiguously since the padding string PS | |||
| contains no octets with value 00 and the padding | contains no octets with value 00 and the padding | |||
| string is separated from the data D by an octet | string is separated from the data D by an octet | |||
| with value 00. | with value 00. | |||
| PKCS #1: RSA Encryption | ||||
| 3. Block type 01 is recommended for private-key | 3. Block type 01 is recommended for private-key | |||
| operations. Block type 01 has the property that | operations. Block type 01 has the property that | |||
| the encryption block, converted to an integer, is | the encryption block, converted to an integer, is | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| guaranteed to be large, which prevents certain | guaranteed to be large, which prevents certain | |||
| attacks of the kind proposed by Desmedt and | attacks of the kind proposed by Desmedt and | |||
| Odlyzko [DO86]. | Odlyzko [DO86]. | |||
| 4. Block types 01 and 02 are compatible with PEM RSA | 4. Block types 01 and 02 are compatible with PEM RSA | |||
| encryption of content-encryption keys and message | encryption of content-encryption keys and message | |||
| digests as described in RFC 1423. | digests as described in RFC 1423. | |||
| 5. For block type 02, it is recommended that the | 5. For block type 02, it is recommended that the | |||
| pseudorandom octets be generated independently for | pseudorandom octets be generated independently for | |||
| skipping to change at page 10, line 32 ¶ | skipping to change at page 10, line 29 ¶ | |||
| Hastad's results [Has88] motivate this | Hastad's results [Has88] motivate this | |||
| recommendation. | recommendation. | |||
| 6. For block type 02, the padding string is at least | 6. For block type 02, the padding string is at least | |||
| eight octets long, which is a security condition | eight octets long, which is a security condition | |||
| for public-key operations that prevents an | for public-key operations that prevents an | |||
| attacker from recoving data by trying all possible | attacker from recoving data by trying all possible | |||
| encryption blocks. For simplicity, the minimum | encryption blocks. For simplicity, the minimum | |||
| length is the same for block type 01. | length is the same for block type 01. | |||
| 7. This standard may be extended in the future to | 7. This document may be extended in the future to | |||
| include other block types. | include other block types. | |||
| 8.2 Octet-string-to-integer conversion | 8.2 Octet-string-to-integer conversion | |||
| The encryption block EB shall be converted to an integer x, the | The encryption block EB shall be converted to an integer x, the | |||
| integer encryption block. Let EB1, ..., EBk be the octets of EB from | integer encryption block. Let EB1, ..., EBk be the octets of EB from | |||
| first to last. Then the integer x shall satisfy | first to last. Then the integer x shall satisfy | |||
| k | k | |||
| x = SUM 2^(8(k-i)) EBi . (2) | x = SUM 2^(8(k-i)) EBi . (2) | |||
| skipping to change at page 11, line 5 ¶ | skipping to change at page 10, line 53 ¶ | |||
| the integer and the last octet of EB has the least significance. | the integer and the last octet of EB has the least significance. | |||
| Note. The integer encryption block x satisfies 0 <= x < n since EB1 | Note. The integer encryption block x satisfies 0 <= x < n since EB1 | |||
| = 00 and 2^(8(k-1)) <= n. | = 00 and 2^(8(k-1)) <= n. | |||
| 8.3 RSA computation | 8.3 RSA computation | |||
| The integer encryption block x shall be raised to the power c modulo | The integer encryption block x shall be raised to the power c modulo | |||
| n to give an integer y, the integer encrypted data. | n to give an integer y, the integer encrypted data. | |||
| PKCS #1: RSA Encryption | ||||
| y = x^c mod n, 0 <= y < n . | y = x^c mod n, 0 <= y < n . | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| This is the classic RSA computation. | This is the classic RSA computation. | |||
| 8.4 Integer-to-octet-string conversion | 8.4 Integer-to-octet-string conversion | |||
| The integer encrypted data y shall be converted to an octet string ED | The integer encrypted data y shall be converted to an octet string ED | |||
| of length k, the encrypted data. The encrypted data ED shall satisfy | of length k, the encrypted data. The encrypted data ED shall satisfy | |||
| k | k | |||
| y = SUM 2^(8(k-i)) EDi . (3) | y = SUM 2^(8(k-i)) EDi . (3) | |||
| i = 1 | i = 1 | |||
| skipping to change at page 12, line 4 ¶ | skipping to change at page 11, line 53 ¶ | |||
| The encrypted data ED shall be converted to an integer y, the integer | The encrypted data ED shall be converted to an integer y, the integer | |||
| encrypted data, according to Equation (3). | encrypted data, according to Equation (3). | |||
| It is an error if the integer encrypted data y does not satisfy 0 <= | It is an error if the integer encrypted data y does not satisfy 0 <= | |||
| y < n. | y < n. | |||
| 9.2 RSA computation | 9.2 RSA computation | |||
| The integer encrypted data y shall be raised to the power c modulo n | The integer encrypted data y shall be raised to the power c modulo n | |||
| PKCS #1: RSA Encryption | ||||
| to give an integer x, the integer encryption block. | to give an integer x, the integer encryption block. | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| x = y^c mod n, 0 <= x < n . | x = y^c mod n, 0 <= x < n . | |||
| This is the classic RSA computation. | This is the classic RSA computation. | |||
| 9.3 Integer-to-octet-string conversion | 9.3 Integer-to-octet-string conversion | |||
| The integer encryption block x shall be converted to an octet string | The integer encryption block x shall be converted to an octet string | |||
| EB of length k, the encryption block, according to Equation (2). | EB of length k, the encryption block, according to Equation (2). | |||
| 9.4 Encryption-block parsing | 9.4 Encryption-block parsing | |||
| skipping to change at page 13, line 4 ¶ | skipping to change at page 12, line 53 ¶ | |||
| (informally, "MD2 with RSA") combines the MD2 message-digest | (informally, "MD2 with RSA") combines the MD2 message-digest | |||
| algorithm with RSA, the second (informally, "MD4 with RSA") combines | algorithm with RSA, the second (informally, "MD4 with RSA") combines | |||
| the MD4 message-digest algorithm with RSA, and the third (informally, | the MD4 message-digest algorithm with RSA, and the third (informally, | |||
| "MD5 with RSA") combines the MD5 message- digest algorithm with RSA. | "MD5 with RSA") combines the MD5 message- digest algorithm with RSA. | |||
| This section describes the signature process and the verification | This section describes the signature process and the verification | |||
| process for the two algorithms. The "selected" message-digest | process for the two algorithms. The "selected" message-digest | |||
| algorithm shall be either MD2 or MD5, depending on the signature | algorithm shall be either MD2 or MD5, depending on the signature | |||
| algorithm. The signature process shall be performed with an entity's | algorithm. The signature process shall be performed with an entity's | |||
| private key and the verification process shall be performed with an | private key and the verification process shall be performed with an | |||
| PKCS #1: RSA Encryption | ||||
| entity's public key. The signature process transforms an octet string | entity's public key. The signature process transforms an octet string | |||
| (the message) to a bit string (the signature); the verification | (the message) to a bit string (the signature); the verification | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| process determines whether a bit string (the signature) is the | process determines whether a bit string (the signature) is the | |||
| signature of an octet string (the message). | signature of an octet string (the message). | |||
| Note. The only difference between the signature algorithms defined | Note. The only difference between the signature algorithms defined | |||
| here and one of the the methods by which signatures (encrypted | here and one of the the methods by which signatures (encrypted | |||
| message digests) are constructed in PKCS #7 is that signatures here | message digests) are constructed in PKCS #7 is that signatures here | |||
| are represented here as bit strings, for consistency with the X.509 | are represented here as bit strings, for consistency with the X.509 | |||
| SIGNED macro. In PKCS #7 encrypted message digests are octet strings. | SIGNED macro. In PKCS #7 encrypted message digests are octet strings. | |||
| 10.1 Signature process | 10.1 Signature process | |||
| skipping to change at page 14, line 4 ¶ | skipping to change at page 13, line 53 ¶ | |||
| The fields of type DigestInfo have the following meanings: | The fields of type DigestInfo have the following meanings: | |||
| o digestAlgorithm identifies the message-digest | o digestAlgorithm identifies the message-digest | |||
| algorithm (and any associated parameters). For | algorithm (and any associated parameters). For | |||
| this application, it should identify the selected | this application, it should identify the selected | |||
| message-digest algorithm, MD2, MD4 or MD5. For | message-digest algorithm, MD2, MD4 or MD5. For | |||
| reference, the relevant object identifiers are the | reference, the relevant object identifiers are the | |||
| following: | following: | |||
| md2 OBJECT IDENTIFIER ::= | md2 OBJECT IDENTIFIER ::= | |||
| PKCS #1: RSA Encryption | ||||
| { iso(1) member-body(2) US(840) rsadsi(113549) | { iso(1) member-body(2) US(840) rsadsi(113549) | |||
| digestAlgorithm(2) 2 } md4 OBJECT IDENTIFIER ::= | digestAlgorithm(2) 2 } md4 OBJECT IDENTIFIER ::= | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| { iso(1) member-body(2) US(840) rsadsi(113549) | { iso(1) member-body(2) US(840) rsadsi(113549) | |||
| digestAlgorithm(2) 4 } md5 OBJECT IDENTIFIER ::= | digestAlgorithm(2) 4 } md5 OBJECT IDENTIFIER ::= | |||
| { iso(1) member-body(2) US(840) rsadsi(113549) | { iso(1) member-body(2) US(840) rsadsi(113549) | |||
| digestAlgorithm(2) 5 } | digestAlgorithm(2) 5 } | |||
| For these object identifiers, the parameters field | For these object identifiers, the parameters field | |||
| of the digestAlgorithm value should be NULL. | of the digestAlgorithm value should be NULL. | |||
| o digest is the result of the message-digesting | o digest is the result of the message-digesting | |||
| process, i.e., the message digest MD. | process, i.e., the message digest MD. | |||
| skipping to change at page 15, line 4 ¶ | skipping to change at page 14, line 52 ¶ | |||
| 3. No reason is known that MD4 would not be | 3. No reason is known that MD4 would not be | |||
| sufficient for very high security digital | sufficient for very high security digital | |||
| signature schemes, but because MD4 was designed to | signature schemes, but because MD4 was designed to | |||
| be exceptionally fast, it is "at the edge" in | be exceptionally fast, it is "at the edge" in | |||
| terms of risking successful cryptanalytic attack. | terms of risking successful cryptanalytic attack. | |||
| A message-digest algorithm can be considered | A message-digest algorithm can be considered | |||
| "broken" if someone can find a collision: two | "broken" if someone can find a collision: two | |||
| messages with the same digest. While collisions | messages with the same digest. While collisions | |||
| have been found in variants of MD4 with only two | have been found in variants of MD4 with only two | |||
| PKCS #1: RSA Encryption | ||||
| digesting "rounds" [Mer90][dBB92], none have been | digesting "rounds" [Mer90][dBB92], none have been | |||
| found in MD4 itself, which has three rounds. After | found in MD4 itself, which has three rounds. After | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| further critical review, it may be appropriate to | further critical review, it may be appropriate to | |||
| consider MD4 for very high security applications. | consider MD4 for very high security applications. | |||
| MD5, which has four rounds and is proportionally | MD5, which has four rounds and is proportionally | |||
| slower than MD4, is recommended until the | slower than MD4, is recommended until the | |||
| completion of MD4's review. The reported | completion of MD4's review. The reported | |||
| "pseudocollisions" in MD5's internal compression | "pseudocollisions" in MD5's internal compression | |||
| function [dBB93] do not appear to have any | function [dBB93] do not appear to have any | |||
| practical impact on MD5's security. | practical impact on MD5's security. | |||
| skipping to change at page 16, line 4 ¶ | skipping to change at page 15, line 53 ¶ | |||
| signer's public key; and a bit string S, the signature. The output | signer's public key; and a bit string S, the signature. The output | |||
| from the verification process shall be an indication of success or | from the verification process shall be an indication of success or | |||
| failure. | failure. | |||
| 10.2.1 Bit-string-to-octet-string conversion | 10.2.1 Bit-string-to-octet-string conversion | |||
| The signature S shall be converted into an octet string ED, the | The signature S shall be converted into an octet string ED, the | |||
| encrypted data. Specifically, assuming that the length in bits of the | encrypted data. Specifically, assuming that the length in bits of the | |||
| signature S is a multiple of eight, the first bit of the signature | signature S is a multiple of eight, the first bit of the signature | |||
| shall become the most significant bit of the first octet of the | shall become the most significant bit of the first octet of the | |||
| PKCS #1: RSA Encryption | ||||
| encrypted data, and so on through the last bit of the signature, | encrypted data, and so on through the last bit of the signature, | |||
| which shall become the least significant bit of the last octet of the | which shall become the least significant bit of the last octet of the | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| encrypted data. | encrypted data. | |||
| It is an error if the length in bits of the signature S is not a | It is an error if the length in bits of the signature S is not a | |||
| multiple of eight. | multiple of eight. | |||
| 10.2.2 RSA decryption | 10.2.2 RSA decryption | |||
| The encrypted data ED shall be decrypted with the signer's RSA public | The encrypted data ED shall be decrypted with the signer's RSA public | |||
| key as described in Section 8 to give an octet string D, the data. | key as described in Section 8 to give an octet string D, the data. | |||
| skipping to change at page 16, line 43 ¶ | skipping to change at page 16, line 41 ¶ | |||
| 10.2.4 Message digesting and comparison | 10.2.4 Message digesting and comparison | |||
| The message M shall be digested with the selected message- digest | The message M shall be digested with the selected message- digest | |||
| algorithm to give an octet string MD', the comparative message | algorithm to give an octet string MD', the comparative message | |||
| digest. The verification process shall succeed if the comparative | digest. The verification process shall succeed if the comparative | |||
| message digest MD' is the same as the message digest MD, and the | message digest MD' is the same as the message digest MD, and the | |||
| verification process shall fail otherwise. | verification process shall fail otherwise. | |||
| 11. Object identifiers | 11. Object identifiers | |||
| This standard defines five object identifiers: pkcs-1, rsaEncryption, | This document defines five object identifiers: pkcs-1, rsaEncryption, | |||
| md2WithRSAEncryption, md4WithRSAEncryption, and md5WithRSAEncryption. | md2WithRSAEncryption, md4WithRSAEncryption, and md5WithRSAEncryption. | |||
| The object identifier pkcs-1 identifies this standard. | The object identifier pkcs-1 identifies this document. | |||
| pkcs-1 OBJECT IDENTIFIER ::= | pkcs-1 OBJECT IDENTIFIER ::= | |||
| { iso(1) member-body(2) US(840) rsadsi(113549) | { iso(1) member-body(2) US(840) rsadsi(113549) | |||
| pkcs(1) 1 } | pkcs(1) 1 } | |||
| The object identifier rsaEncryption identifies RSA public and private | The object identifier rsaEncryption identifies RSA public and private | |||
| keys as defined in Section 7 and the RSA encryption and decryption | keys as defined in Section 7 and the RSA encryption and decryption | |||
| PKCS #1: RSA Encryption | ||||
| processes defined in Sections 8 and 9. | processes defined in Sections 8 and 9. | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } | rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } | |||
| The rsaEncryption object identifier is intended to be used in the | The rsaEncryption object identifier is intended to be used in the | |||
| algorithm field of a value of type AlgorithmIdentifier. The | algorithm field of a value of type AlgorithmIdentifier. The | |||
| parameters field of that type, which has the algorithm-specific | parameters field of that type, which has the algorithm-specific | |||
| syntax ANY DEFINED BY algorithm, would have ASN.1 type NULL for this | syntax ANY DEFINED BY algorithm, would have ASN.1 type NULL for this | |||
| algorithm. | algorithm. | |||
| The object identifiers md2WithRSAEncryption, md4WithRSAEncryption, | The object identifiers md2WithRSAEncryption, md4WithRSAEncryption, | |||
| md5WithRSAEncryption, identify, respectively, the "MD2 with RSA," | md5WithRSAEncryption, identify, respectively, the "MD2 with RSA," | |||
| skipping to change at page 17, line 35 ¶ | skipping to change at page 17, line 33 ¶ | |||
| These object identifiers are intended to be used in the algorithm | These object identifiers are intended to be used in the algorithm | |||
| field of a value of type AlgorithmIdentifier. The parameters field of | field of a value of type AlgorithmIdentifier. The parameters field of | |||
| that type, which has the algorithm- specific syntax ANY DEFINED BY | that type, which has the algorithm- specific syntax ANY DEFINED BY | |||
| algorithm, would have ASN.1 type NULL for these algorithms. | algorithm, would have ASN.1 type NULL for these algorithms. | |||
| Note. X.509's object identifier rsa also identifies RSA public keys | Note. X.509's object identifier rsa also identifies RSA public keys | |||
| as defined in Section 7, but does not identify private keys, and | as defined in Section 7, but does not identify private keys, and | |||
| identifies different encryption and decryption processes. It is | identifies different encryption and decryption processes. It is | |||
| expected that some applications will identify public keys by rsa. | expected that some applications will identify public keys by rsa. | |||
| Such public keys are compatible with this standard; an rsaEncryption | Such public keys are compatible with this document; an rsaEncryption | |||
| process under an rsa public key is the same as the rsaEncryption | process under an rsa public key is the same as the rsaEncryption | |||
| process under an rsaEncryption public key. | process under an rsaEncryption public key. | |||
| Revision history | Revision history | |||
| Versions 1.0-1.3 | Versions 1.0-1.3 | |||
| Versions 1.0-1.3 were distributed to participants in RSA Data | Versions 1.0-1.3 were distributed to participants in RSA Data | |||
| Security, Inc.'s Public-Key Cryptography Standards meetings in | Security, Inc.'s Public-Key Cryptography Standards meetings in | |||
| February and March 1991. | February and March 1991. | |||
| Version 1.4 | Version 1.4 | |||
| Version 1.4 is part of the June 3, 1991 initial public release of | Version 1.4 is part of the June 3, 1991 initial public release of | |||
| PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop | PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop | |||
| document SEC-SIG-91-18. | document SEC-SIG-91-18. | |||
| PKCS #1: RSA Encryption | ||||
| Version 1.5 | Version 1.5 | |||
| RFC nnn PKCS #1: RSA Encryption November 1993 | ||||
| Version 1.5 incorporates several editorial changes, including updates | Version 1.5 incorporates several editorial changes, including updates | |||
| to the references and the addition of a revision history. The | to the references and the addition of a revision history. The | |||
| following substantive changes were made: | following substantive changes were made: | |||
| o Section 10: "MD4 with RSA" signature and | o Section 10: "MD4 with RSA" signature and | |||
| verification processes are added. | verification processes are added. | |||
| o Section 11: md4WithRSAEncryption object identifier | o Section 11: md4WithRSAEncryption object identifier | |||
| is added. | is added. | |||
| Supersedes June 3, 1991 version, which was also published as NIST/OSI | Supersedes June 3, 1991 version, which was also published as NIST/OSI | |||
| Implementors' Workshop document SEC-SIG-91-18. | Implementors' Workshop document SEC-SIG-91-18. | |||
| Copyright | Copyright | |||
| Copyright (C) 1991-1993 RSA Laboratories, a division of RSA Data | Copyright (c) 1991-1993 RSA Laboratories, a division of RSA Data | |||
| Security, Inc. License to copy this document is granted provided that | Security, Inc. Any substantial use of the text from this document | |||
| it is identified as "RSA Data Security, Inc. Public-Key Cryptography | must acknowledge RSA Data Security, Inc. RSA Data Security, Inc. | |||
| Standards (PKCS)" in all material mentioning or referencing this | requests that all material mentioning or referencing this document | |||
| document. | identify this as "RSA Data Security, Inc. PKCS #1". | |||
| Author's Address | Author's Address | |||
| RSA Laboratories | Burt Kaliski | |||
| 100 Marine Parkway | RSA Laboratories East | |||
| Redwood City, CA 94065 USA | 20 Crosby Drive | |||
| Tel: (415) 595-7703 | Bedford, MA 01730 | |||
| Fax: (415) 595-4126 | (617) 687-7000 | |||
| pkcs-editor@rsa.com | burt@rsa.com | |||
| End of changes. 58 change blocks. | ||||
| 80 lines changed or deleted | 77 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||