| < draft-kaliski-pkcs-pkcs1v2-00.txt | draft-kaliski-pkcs-pkcs1v2-01.txt > | |||
|---|---|---|---|---|
| Network Working Group B. Kaliski and J. Staddon | Network Working Group B. Kaliski and J. Staddon | |||
| Internet-Draft RSA Laboratories | Internet-Draft RSA Laboratories | |||
| Category: Informational July 1998 | Category: Informational September 1998 | |||
| PKCS #1: RSA Cryptography Specifications | PKCS #1: RSA Cryptography Specifications | |||
| Version 2.0 | Version 2.0 | |||
| <draft-kaliski-pkcs-pkcs1v2-00.txt> | ||||
| Status of this Memo | Status of this Memo | |||
| This memo provides information for the Internet community. It does not | ||||
| Specify an Internet standard of any kind. Distribution of this memo | ||||
| is unlimited. | ||||
| This document is an Internet-Draft. Internet-Drafts are working | This document is an Internet-Draft. Internet-Drafts are working | |||
| documents of the Internet Engineering Task Force (IETF), its | documents of the Internet Engineering Task Force (IETF), its | |||
| areas, and its working groups. Note that other groups may also | areas, and its working groups. Note that other groups may also | |||
| distribute working documents as Internet-Drafts. | distribute working documents as Internet-Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six | Internet-Drafts are draft documents valid for a maximum of six | |||
| months and may be updated, replaced, or obsoleted by other | months and may be updated, replaced, or obsoleted by other | |||
| documents at any time. It is inappropriate to use Internet- | documents at any time. It is inappropriate to use Internet- | |||
| Drafts as reference material or to cite them other than as | Drafts as reference material or to cite them other than as | |||
| "work in progress." | "work in progress." | |||
| To view the entire list of current Internet-Drafts, please check | To view the entire list of current Internet-Drafts, please check | |||
| the "1id-abstracts.txt" listing contained in the Internet-Drafts | the "1id-abstracts.txt" listing contained in the Internet-Drafts | |||
| Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net | Shadow Directories on ftp.is.co.za (Africa), ftp.nordu.net | |||
| (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au | (Northern Europe), ftp.nis.garr.it (Southern Europe), munnari.oz.au | |||
| (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu | (Pacific Rim), ftp.ietf.org (US East Coast), or ftp.isi.edu | |||
| (US West Coast). | (US West Coast). | |||
| This memo provides information for the Internet community. It does not | ||||
| Specify an Internet standard of any kind. Distribution of this memo | ||||
| is unlimited. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (1998). All Rights Reserved. | Copyright (C) The Internet Society (1998). All Rights Reserved. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction.....................................2 | 1. Introduction.....................................2 | |||
| 1.1 Overview.........................................2 | 1.1 Overview.........................................2 | |||
| 2. Notation.........................................3 | 2. Notation.........................................3 | |||
| 3. Key types........................................4 | 3. Key types........................................4 | |||
| 3.1 RSA public key...................................4 | 3.1 RSA public key...................................4 | |||
| skipping to change at page 2, line ? ¶ | skipping to change at page 2, line ? ¶ | |||
| 9. Encoding methods................................19 | 9. Encoding methods................................19 | |||
| 9.1 Encoding methods for encryption.................19 | 9.1 Encoding methods for encryption.................19 | |||
| 9.1.1 EME-OAEP........................................19 | 9.1.1 EME-OAEP........................................19 | |||
| 9.1.2 EME-PKCS1-v1_5..................................21 | 9.1.2 EME-PKCS1-v1_5..................................21 | |||
| 9.2 Encoding methods for signatures with appendix...22 | 9.2 Encoding methods for signatures with appendix...22 | |||
| 9.2.1 EMSA-PKCS1-v1_5.................................22 | 9.2.1 EMSA-PKCS1-v1_5.................................22 | |||
| 10. Auxiliary Functions.............................23 | 10. Auxiliary Functions.............................23 | |||
| 10.1 Hash Functions..................................23 | 10.1 Hash Functions..................................23 | |||
| 10.2 Mask Generation Functions.......................24 | 10.2 Mask Generation Functions.......................24 | |||
| 10.2.1 MGF1............................................24 | 10.2.1 MGF1............................................24 | |||
| 11. ASN.1 syntax....................................25 | 11. ASN.1 syntax....................................25 | |||
| 11.1 Key representation..............................25 | 11.1 Key representation..............................25 | |||
| 11.1.1 Public-key syntax...............................25 | 11.1.1 Public-key syntax...............................25 | |||
| 11.1.2 Private-key syntax..............................26 | 11.1.2 Private-key syntax..............................26 | |||
| 11.2 Scheme identification...........................26 | 11.2 Scheme identification...........................26 | |||
| 11.2.1 Syntax for RSAES-OAEP...........................26 | 11.2.1 Syntax for RSAES-OAEP...........................26 | |||
| 11.2.2 Syntax for RSAES-PKCS1-v1_5.....................28 | 11.2.2 Syntax for RSAES-PKCS1-v1_5.....................28 | |||
| 11.2.3 Syntax for RSASSA-PKCS1-v1_5....................28 | 11.2.3 Syntax for RSASSA-PKCS1-v1_5....................28 | |||
| 12 Patent Statement................................29 | 12 Patent Statement................................29 | |||
| 12.1 Patent statement for the RSA algorithm..........30 | 12.1 Patent statement for the RSA algorithm..........30 | |||
| 13. Revision history................................30 | 13. Revision history................................30 | |||
| 14. References......................................30 | 14. References......................................30 | |||
| 1. Introduction | 1. Introduction | |||
| This Internet-Draft is proposed as a successor to RFC-2313. This | This Internet-Draft is proposed as a successor to RFC-2313. This | |||
| document provides recommendations for the implementation of public- | document provides recommendations for the implementation of public- | |||
| key cryptography based on the RSA algorithm [18], covering the following | key cryptography based on the RSA algorithm [18], covering the following | |||
| aspects: | aspects: | |||
| -cryptographic primitives | -cryptographic primitives | |||
| -encryption schemes | -encryption schemes | |||
| -signature schemes with appendix | -signature schemes with appendix | |||
| skipping to change at page 11, line 51 ¶ | skipping to change at page 11, line 51 ¶ | |||
| aware encryption," meaning that it is computationally infeasible to | aware encryption," meaning that it is computationally infeasible to | |||
| obtain full or partial information about a message from a ciphertext, | obtain full or partial information about a message from a ciphertext, | |||
| and computationally infeasible to generate a valid ciphertext without | and computationally infeasible to generate a valid ciphertext without | |||
| knowing the corresponding message. Therefore, a chosen-ciphertext attack | knowing the corresponding message. Therefore, a chosen-ciphertext attack | |||
| is ineffective against a plaintext-aware encryption scheme such as | is ineffective against a plaintext-aware encryption scheme such as | |||
| RSAES-OAEP. | RSAES-OAEP. | |||
| Both the encryption and the decryption operations of RSAES-OAEP take the | Both the encryption and the decryption operations of RSAES-OAEP take the | |||
| value of the parameter string P as input. In this version of PKCS #1, P | value of the parameter string P as input. In this version of PKCS #1, P | |||
| is an octet string that is specified explicitly. See Section 11.2.1 for | is an octet string that is specified explicitly. See Section 11.2.1 for | |||
| the relevant ASN.1 syntax. | the relevant ASN.1 syntax. We briefly note that to receive the full | |||
| security benefit of RSAES-OAEP, it should not be used in a protocol | ||||
| involving RSAES-PKCS1-v1_5. It is possible that in a protocol on which | ||||
| both encryption schemes are present, an adaptive chosen ciphertext | ||||
| attack such as [4] would be useful. | ||||
| Both the encryption and the decryption operations of RSAES-OAEP take | ||||
| the value of the parameter string P as input. In this version of | ||||
| PKCS #1, P is an octet string that is specified explicitly. See | ||||
| Section 11.2.1 for the relevant ASN.1 syntax. | ||||
| 7.1.1 Encryption operation | 7.1.1 Encryption operation | |||
| RSAES-OAEP-ENCRYPT ((n, e), M, P) | RSAES-OAEP-ENCRYPT ((n, e), M, P) | |||
| Input: | Input: | |||
| (n, e) recipient's RSA public key | (n, e) recipient's RSA public key | |||
| M message to be encrypted, an octet string of length at | M message to be encrypted, an octet string of length at | |||
| most k-2-2hLen, where k is the length in octets of the | most k-2-2hLen, where k is the length in octets of the | |||
| modulus n and hLen is the length in octets of the hash | modulus n and hLen is the length in octets of the hash | |||
| function output for EME-OAEP | function output for EME-OAEP | |||
| P encoding parameters, an octet string that may be empty | P encoding parameters, an octet string that may be empty | |||
| skipping to change at page 16, line 28 ¶ | skipping to change at page 16, line 39 ¶ | |||
| error message received to mount a chosen-ciphertext attack such as the | error message received to mount a chosen-ciphertext attack such as the | |||
| one found in [4]. | one found in [4]. | |||
| 8. Signature schemes with appendix | 8. Signature schemes with appendix | |||
| A signature scheme with appendix consists of a signature generation | A signature scheme with appendix consists of a signature generation | |||
| operation and a signature verification operation, where the signature | operation and a signature verification operation, where the signature | |||
| generation operation produces a signature from a message with a signer's | generation operation produces a signature from a message with a signer's | |||
| private key, and the signature verification operation verifies the | private key, and the signature verification operation verifies the | |||
| signature on the message with the signer's corresponding public key. | signature on the message with the signer's corresponding public key. | |||
| To verify a signature constructed with this type of scheme it is | ||||
| necessary to have the message itself. In this way, signature schemes | ||||
| with appendix are distinguished from signature schemes with message | ||||
| recovery, which are not supported in this document. | ||||
| A signature scheme with appendix can be employed in a variety of | A signature scheme with appendix can be employed in a variety of | |||
| applications. For instance, X.509 [6] employs such a scheme to | applications. For instance, X.509 [6] employs such a scheme to | |||
| authenticate the content of a certificate; the signature scheme with | authenticate the content of a certificate; the signature scheme with | |||
| appendix defined here would be a suitable signature algorithm in that | appendix defined here would be a suitable signature algorithm in that | |||
| context. A related signature scheme could be employed in PKCS #7 [21], | context. A related signature scheme could be employed in PKCS #7 [21], | |||
| although for technical reasons, the current version of PKCS #7 separates | although for technical reasons, the current version of PKCS #7 separates | |||
| a hash function from a signature scheme, which is different than what is | a hash function from a signature scheme, which is different than what is | |||
| done here. | done here. | |||
| One signature scheme with appendix is specified in this document: | One signature scheme with appendix is specified in this document: | |||
| skipping to change at page 19, line 47 ¶ | skipping to change at page 20, line 10 ¶ | |||
| This encoding method is parameterized by the choice of hash function and | This encoding method is parameterized by the choice of hash function and | |||
| mask generation function. Suggested hash and mask generation functions | mask generation function. Suggested hash and mask generation functions | |||
| are given in Section 10. This encoding method is based on the method | are given in Section 10. This encoding method is based on the method | |||
| found in [2]. | found in [2]. | |||
| 9.1.1.1 Encoding operation | 9.1.1.1 Encoding operation | |||
| EME-OAEP-ENCODE (M, P, emLen) | EME-OAEP-ENCODE (M, P, emLen) | |||
| Options: | Options: | |||
| Hash hash function (hLen denotes the length in octet of the | Hash hash function (hLen denotes the length in octet of the | |||
| hash function output) | hash function output) | |||
| MGF mask generation function | MGF mask generation function | |||
| Input: | Input: | |||
| M message to be encoded, an octet string of length at most | M message to be encoded, an octet string of length at most | |||
| emLen- 1-2hLen | emLen- 1-2hLen | |||
| P encoding parameters, an octet string | P encoding parameters, an octet string | |||
| emLen intended length in octets of the encoded message, at least | emLen intended length in octets of the encoded message, at least | |||
| 2hLen+1 | 2hLen+1 | |||
| Output: | Output: | |||
| EM encoded message, an octet string of length emLen; or | EM encoded message, an octet string of length emLen; | |||
| "message too long" | "message too long" or "parameter string too long" | |||
| Steps: | Steps: | |||
| 1. If ||M|| > emLen-2hLen-1 then output "message too long" and stop. | 1. If the length of P is greater than the input limitation for | |||
| the hash function (2^61-1 octets for SHA-1) then output "parameter | ||||
| string too long" and stop. | ||||
| 2. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero | 2. If ||M|| > emLen-2hLen-1 then output "message too long" and stop. | |||
| 3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero | ||||
| octets. The length of PS may be 0. | octets. The length of PS may be 0. | |||
| 3. Let pHash = Hash(P), an octet string of length hLen. | 4. Let pHash = Hash(P), an octet string of length hLen. | |||
| 4. Concatenate pHash, PS, the message M, and other padding to form a data | 5. Concatenate pHash, PS, the message M, and other padding to form a data | |||
| block DB as: DB = pHash || PS || 01 || M | block DB as: DB = pHash || PS || 01 || M | |||
| 5. Generate a random octet string seed of length hLen. | 6. Generate a random octet string seed of length hLen. | |||
| 6. Let dbMask = MGF(seed, emLen-hLen). | 7. Let dbMask = MGF(seed, emLen-hLen). | |||
| 7. Let maskedDB = DB \xor dbMask. | 8. Let maskedDB = DB \xor dbMask. | |||
| 8. Let seedMask = MGF(maskedDB, hLen). | 9. Let seedMask = MGF(maskedDB, hLen). | |||
| 9. Let maskedSeed = seed \xor seedMask. | 10. Let maskedSeed = seed \xor seedMask. | |||
| 10. Let EM = maskedSeed || maskedDB. | 11. Let EM = maskedSeed || maskedDB. | |||
| 11. Output EM. | 12. Output EM. | |||
| 9.1.1.2 Decoding operation | 9.1.1.2 Decoding operation | |||
| EME-OAEP-DECODE (EM, P) | EME-OAEP-DECODE (EM, P) | |||
| Options: | Options: | |||
| Hash hash function (hLen denotes the length in octet of the hash | Hash hash function (hLen denotes the length in octet of the hash | |||
| function output) | function output) | |||
| MGF mask generation function | MGF mask generation function | |||
| Input: | Input: | |||
| EM encoded message, an octet string of length at least 2hLen+1 | EM encoded message, an octet string of length at least 2hLen+1 | |||
| P encoding parameters, an octet string | P encoding parameters, an octet string | |||
| Output: | Output: | |||
| M recovered message, an octet string of length at most ||EM||-1- | M recovered message, an octet string of length at most ||EM||-1- | |||
| 2hLen; or "decoding error" | 2hLen; or "decoding error" | |||
| Steps: | Steps: | |||
| 1. If ||EM|| < 2hLen+1, then output "decoding error" and stop. | 1. If the length of P is greater than the input limitation for | |||
| the hash function (2^61-1 octets for SHA-1) then output "parameter | ||||
| string too long" and stop. | ||||
| 2. Let maskedSeed be the first hLen octets of EM and let maskedDB be the | 2. If ||EM|| < 2hLen+1, then output "decoding error" and stop. | |||
| 3. Let maskedSeed be the first hLen octets of EM and let maskedDB be the | ||||
| remaining ||EM|| - hLen octets. | remaining ||EM|| - hLen octets. | |||
| 3. Let seedMask = MGF(maskedDB, hLen). | 4. Let seedMask = MGF(maskedDB, hLen). | |||
| 4. Let seed = maskedSeed \xor seedMask. | 5. Let seed = maskedSeed \xor seedMask. | |||
| 5. Let dbMask = MGF(seed, ||EM|| - hLen). | 6. Let dbMask = MGF(seed, ||EM|| - hLen). | |||
| 6. Let DB = maskedDB \xor dbMask. | 7. Let DB = maskedDB \xor dbMask. | |||
| 7. Let pHash = Hash(P), an octet string of length hLen. | 8. Let pHash = Hash(P), an octet string of length hLen. | |||
| 8. Separate DB into an octet string pHash' consisting of the first hLen | 9. Separate DB into an octet string pHash' consisting of the first hLen | |||
| octets of DB, a (possibly empty) octet string PS consisting of | octets of DB, a (possibly empty) octet string PS consisting of | |||
| consecutive zero octets following pHash', and a message M as: | consecutive zero octets following pHash', and a message M as: | |||
| DB = pHash' || PS || 01 || M | DB = pHash' || PS || 01 || M | |||
| If there is no 01 octet to separate PS from M, output "decoding error" | If there is no 01 octet to separate PS from M, output "decoding error" | |||
| and stop. | and stop. | |||
| 9. If pHash' does not equal pHash, output "decoding error" and stop. | 10. If pHash' does not equal pHash, output "decoding error" and stop. | |||
| 10. Output M. | 11. Output M. | |||
| 9.1.2 EME-PKCS1-v1_5 | 9.1.2 EME-PKCS1-v1_5 | |||
| This encoding method is the same as in PKCS #1 v1.5, Section 8: | This encoding method is the same as in PKCS #1 v1.5, Section 8: | |||
| Encryption Process. | Encryption Process. | |||
| 9.1.2.1 Encoding operation | 9.1.2.1 Encoding operation | |||
| EME-PKCS1-V1_5-ENCODE (M, emLen) | EME-PKCS1-V1_5-ENCODE (M, emLen) | |||
| skipping to change at page 23, line 6 ¶ | skipping to change at page 23, line 40 ¶ | |||
| Hash hash function (hLen denotes the length in octet of the hash | Hash hash function (hLen denotes the length in octet of the hash | |||
| function output) | function output) | |||
| Input: | Input: | |||
| M message to be encoded | M message to be encoded | |||
| emLen intended length in octets of the encoded message, at least | emLen intended length in octets of the encoded message, at least | |||
| ||T|| + 10, where T is the DER encoding of a certain value computed | ||T|| + 10, where T is the DER encoding of a certain value computed | |||
| during the encoding operation | during the encoding operation | |||
| Output: | Output: | |||
| EM encoded message, an octet string of length emLen; or "message | EM encoded message, an octet string of length emLen; or "message | |||
| too long" or "intended encoded message length too short" | too long" or "intended encoded message length too short" | |||
| Steps: | Steps: | |||
| 1. Apply the hash function to the message M to produce a hash value H: | 1. Apply the hash function to the message M to produce a hash value H: | |||
| H = Hash(M). | H = Hash(M). | |||
| If the hash function outputs "message too long," then output "message | If the hash function outputs "message too long," then output "message | |||
| too long". | too long". | |||
| skipping to change at page 24, line 43 ¶ | skipping to change at page 25, line 26 ¶ | |||
| 10.2 Mask Generation Functions | 10.2 Mask Generation Functions | |||
| A mask generation function takes an octet string of variable length and | A mask generation function takes an octet string of variable length and | |||
| a desired output length as input, and outputs an octet string of the | a desired output length as input, and outputs an octet string of the | |||
| desired length. There may be restrictions on the length of the input and | desired length. There may be restrictions on the length of the input and | |||
| output octet strings, but such bounds are generally very large. Mask | output octet strings, but such bounds are generally very large. Mask | |||
| generation functions are deterministic; the octet string output is | generation functions are deterministic; the octet string output is | |||
| completely determined by the input octet string. The output of a mask | completely determined by the input octet string. The output of a mask | |||
| generation function should be pseudorandom, that is, if the seed to the | generation function should be pseudorandom, that is, if the seed to the | |||
| function is unknown, it should be infeasible to distinguish the output | function is unknown, it should be infeasible to distinguish the output | |||
| from a truly random string. The plaintext-awareness of RSAES-PKCS1-v1_5 | from a truly random string. The plaintext-awareness of RSAES-OAEP | |||
| relies on the random nature of the output of the mask generation | relies on the random nature of the output of the mask generation | |||
| function, which in turn relies on the random nature of the underlying | function, which in turn relies on the random nature of the underlying | |||
| hash. | hash. | |||
| One mask generation function is recommended for the encoding methods in | One mask generation function is recommended for the encoding methods in | |||
| this document, and is defined here: MGF1, which is based on a hash | this document, and is defined here: MGF1, which is based on a hash | |||
| function. Future versions of this document may define other mask | function. Future versions of this document may define other mask | |||
| generation functions. | generation functions. | |||
| 10.2.1 MGF1 | 10.2.1 MGF1 | |||
| End of changes. 40 change blocks. | ||||
| 53 lines changed or deleted | 75 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||