📄 rfc2437.txt
字号:
Network Working Group B. Kaliski
Request for Comments: 2437 J. Staddon
Obsoletes: 2313 RSA Laboratories
Category: Informational October 1998
PKCS #1: RSA Cryptography Specifications
Version 2.0
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
Table of Contents
1. Introduction.....................................2
1.1 Overview.........................................3
2. Notation.........................................3
3. Key types........................................5
3.1 RSA public key...................................5
3.2 RSA private key..................................5
4. Data conversion primitives.......................6
4.1 I2OSP............................................6
4.2 OS2IP............................................7
5. Cryptographic primitives.........................8
5.1 Encryption and decryption primitives.............8
5.1.1 RSAEP............................................8
5.1.2 RSADP............................................9
5.2 Signature and verification primitives...........10
5.2.1 RSASP1..........................................10
5.2.2 RSAVP1..........................................11
6. Overview of schemes.............................11
7. Encryption schemes..............................12
7.1 RSAES-OAEP......................................13
7.1.1 Encryption operation............................13
7.1.2 Decryption operation............................14
7.2 RSAES-PKCS1-v1_5................................15
7.2.1 Encryption operation............................17
7.2.2 Decryption operation............................17
8. Signature schemes with appendix.................18
8.1 RSASSA-PKCS1-v1_5...............................19
8.1.1 Signature generation operation..................20
Kaliski & Staddon Informational [Page 1]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
8.1.2 Signature verification operation................21
9. Encoding methods................................22
9.1 Encoding methods for encryption.................22
9.1.1 EME-OAEP........................................22
9.1.2 EME-PKCS1-v1_5..................................24
9.2 Encoding methods for signatures with appendix...26
9.2.1 EMSA-PKCS1-v1_5.................................26
10. Auxiliary Functions.............................27
10.1 Hash Functions..................................27
10.2 Mask Generation Functions.......................28
10.2.1 MGF1............................................28
11. ASN.1 syntax....................................29
11.1 Key representation..............................29
11.1.1 Public-key syntax...............................30
11.1.2 Private-key syntax..............................30
11.2 Scheme identification...........................31
11.2.1 Syntax for RSAES-OAEP...........................31
11.2.2 Syntax for RSAES-PKCS1-v1_5.....................32
11.2.3 Syntax for RSASSA-PKCS1-v1_5....................33
12 Patent Statement................................33
12.1 Patent statement for the RSA algorithm..........34
13. Revision history................................35
14. References......................................35
Security Considerations.........................37
Acknowledgements................................37
Authors' Addresses..............................38
Full Copyright Statement........................39
1. Introduction
This memo is the successor to RFC 2313. This document provides
recommendations for the implementation of public-key cryptography
based on the RSA algorithm [18], covering the following aspects:
-cryptographic primitives
-encryption schemes
-signature schemes with appendix
-ASN.1 syntax for representing keys and for identifying the
schemes
The recommendations are intended for general application within
computer and communications systems, and as such include a fair
amount of flexibility. It is expected that application standards
based on these specifications may include additional constraints. The
recommendations are intended to be compatible with draft standards
currently being developed by the ANSI X9F1 [1] and IEEE P1363 working
groups [14]. This document supersedes PKCS #1 version 1.5 [20].
Kaliski & Staddon Informational [Page 2]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
Editor's note. It is expected that subsequent versions of PKCS #1 may
cover other aspects of the RSA algorithm such as key size, key
generation, key validation, and signature schemes with message
recovery.
1.1 Overview
The organization of this document is as follows:
-Section 1 is an introduction.
-Section 2 defines some notation used in this document.
-Section 3 defines the RSA public and private key types.
-Sections 4 and 5 define several primitives, or basic mathematical
operations. Data conversion primitives are in Section 4, and
cryptographic primitives (encryption-decryption,
signature-verification) are in Section 5.
-Section 6, 7 and 8 deal with the encryption and signature schemes
in this document. Section 6 gives an overview. Section 7 defines
an OAEP-based [2] encryption scheme along with the method found
in PKCS #1 v1.5. Section 8 defines a signature scheme with
appendix; the method is identical to that of PKCS #1 v1.5.
-Section 9 defines the encoding methods for the encryption and
signature schemes in Sections 7 and 8.
-Section 10 defines the hash functions and the mask generation
function used in this document.
-Section 11 defines the ASN.1 syntax for the keys defined in
Section 3 and the schemes gives in Sections 7 and 8.
-Section 12 outlines the revision history of PKCS #1.
-Section 13 contains references to other publications and
standards.
2. Notation
(n, e) RSA public key
c ciphertext representative, an integer between 0 and n-1
C ciphertext, an octet string
d private exponent
dP p's exponent, a positive integer such that:
e(dP)\equiv 1 (mod(p-1))
dQ q's exponent, a positive integer such that:
e(dQ)\equiv 1 (mod(q-1))
e public exponent
Kaliski & Staddon Informational [Page 3]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
EM encoded message, an octet string
emLen intended length in octets of an encoded message
H hash value, an output of Hash
Hash hash function
hLen output length in octets of hash function Hash
K RSA private key
k length in octets of the modulus
l intended length of octet string
lcm(.,.) least common multiple of two
nonnegative integers
m message representative, an integer between
0 and n-1
M message, an octet string
MGF mask generation function
n modulus
P encoding parameters, an octet string
p,q prime factors of the modulus
qInv CRT coefficient, a positive integer less
than p such: q(qInv)\equiv 1 (mod p)
s signature representative, an integer
between 0 and n-1
S signature, an octet string
x a nonnegative integer
X an octet string corresponding to x
\xor bitwise exclusive-or of two octet strings
\lambda(n) lcm(p-1, q-1), where n = pq
Kaliski & Staddon Informational [Page 4]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
|| concatenation operator
||.|| octet length operator
3. Key types
Two key types are employed in the primitives and schemes defined in
this document: RSA public key and RSA private key. Together, an RSA
public key and an RSA private key form an RSA key pair.
3.1 RSA public key
For the purposes of this document, an RSA public key consists of two
components:
n, the modulus, a nonnegative integer
e, the public exponent, a nonnegative integer
In a valid RSA public key, the modulus n is a product of two odd
primes p and q, and the public exponent e is an integer between 3 and
n-1 satisfying gcd (e, \lambda(n)) = 1, where \lambda(n) = lcm (p-
1,q-1). A recommended syntax for interchanging RSA public keys
between implementations is given in Section 11.1.1; an
implementation's internal representation may differ.
3.2 RSA private key
For the purposes of this document, an RSA private key may have either
of two representations.
1. The first representation consists of the pair (n, d), where the
components have the following meanings:
n, the modulus, a nonnegative integer
d, the private exponent, a nonnegative integer
2. The second representation consists of a quintuple (p, q, dP, dQ,
qInv), where the components have the following meanings:
p, the first factor, a nonnegative integer
q, the second factor, a nonnegative integer
dP, the first factor's exponent, a nonnegative integer
dQ, the second factor's exponent, a nonnegative integer
qInv, the CRT coefficient, a nonnegative integer
In a valid RSA private key with the first representation, the modulus
n is the same as in the corresponding public key and is the product
of two odd primes p and q, and the private exponent d is a positive
Kaliski & Staddon Informational [Page 5]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
integer less than n satisfying:
ed \equiv 1 (mod \lambda(n))
where e is the corresponding public exponent and \lambda(n) is as
defined above.
In a valid RSA private key with the second representation, the two
factors p and q are the prime factors of the modulus n, the exponents
dP and dQ are positive integers less than p and q respectively
satisfying
e(dP)\equiv 1(mod(p-1))
e(dQ)\equiv 1(mod(q-1)),
and the CRT coefficient qInv is a positive integer less than p
satisfying:
q(qInv)\equiv 1 (mod p).
A recommended syntax for interchanging RSA private keys between
implementations, which includes components from both representations,
is given in Section 11.1.2; an implementation's internal
representation may differ.
4. Data conversion primitives
Two data conversion primitives are employed in the schemes defined in
this document:
I2OSP: Integer-to-Octet-String primitive
OS2IP: Octet-String-to-Integer primitive
For the purposes of this document, and consistent with ASN.1 syntax, an
octet string is an ordered sequence of octets (eight-bit bytes). The
sequence is indexed from first (conventionally, leftmost) to last
(rightmost). For purposes of conversion to and from integers, the first
octet is considered the most significant in the following conversion
primitives
4.1 I2OSP
I2OSP converts a nonnegative integer to an octet string of a specified
length.
I2OSP (x, l)
Kaliski & Staddon Informational [Page 6]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
Input:
x nonnegative integer to be converted
l intended length of the resulting octet string
Output:
X corresponding octet string of length l; or
"integer too large"
Steps:
1. If x>=256^l, output "integer too large" and stop.
2. Write the integer x in its unique l-digit representation base 256:
x = x_{l-1}256^{l-1} + x_{l-2}256^{l-2} +... + x_1 256 + x_0
where 0 <= x_i < 256 (note that one or more leading digits will be
zero if x < 256^{l-1}).
3. Let the octet X_i have the value x_{l-i} for 1 <= i <= l. Output
the octet string:
X = X_1 X_2 ... X_l.
4.2 OS2IP
OS2IP converts an octet string to a nonnegative integer.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -