rfc2437.txt

RFC 的详细文档！

   OS2IP (X)

   Input:
   X         octet string to be converted

   Output:
   x         corresponding nonnegative integer

   Steps:

   1. Let X_1 X_2 ... X_l  be the octets of X from first to last, and
   let x{l-i} have value X_i for 1<= i <= l.

   2. Let x = x{l-1} 256^{l-1} + x_{l-2} 256^{l-2} +...+ x_1 256 + x_0.

   3. Output x.







Kaliski & Staddon            Informational                      [Page 7]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


5. Cryptographic primitives

   Cryptographic primitives are basic mathematical operations on which
   cryptographic schemes can be built. They are intended for
   implementation in hardware or as software modules, and are not
   intended to provide security apart from a scheme.

   Four types of primitive are specified in this document, organized in
   pairs: encryption and decryption; and signature and verification.

   The specifications of the primitives assume that certain conditions
   are met by the inputs, in particular that public and private keys are
   valid.

5.1 Encryption and decryption primitives

   An encryption primitive produces a ciphertext representative from a
   message representative under the control of a public key, and a
   decryption primitive recovers the message representative from the
   ciphertext representative under the control of the corresponding
   private key.

   One pair of encryption and decryption primitives is employed in the
   encryption schemes defined in this document and is specified here:
   RSAEP/RSADP. RSAEP and RSADP involve the same mathematical operation,
   with different keys as input.

   The primitives defined here are the same as in the draft IEEE P1363
   and are compatible with PKCS #1 v1.5.

   The main mathematical operation in each primitive is exponentiation.

5.1.1 RSAEP

   RSAEP((n, e), m)

   Input:
   (n, e)    RSA public key
   m         message representative, an integer between 0 and n-1

   Output:
   c         ciphertext representative, an integer between 0 and n-1;
             or "message representative out of range"

   Assumptions: public key (n, e) is valid

   Steps:




Kaliski & Staddon            Informational                      [Page 8]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   1. If the message representative m is not between 0 and n-1, output
   message representative out of range and stop.

   2. Let c = m^e mod n.

   3. Output c.

5.1.2 RSADP

   RSADP (K, c)

   Input:

   K         RSA private key, where K has one of the following forms
                 -a pair (n, d)
                 -a quintuple (p, q, dP, dQ, qInv)
   c         ciphertext representative, an integer between 0 and n-1

   Output:
   m         message representative, an integer between 0 and n-1; or
             "ciphertext representative out of range"

   Assumptions: private key K is valid

   Steps:

   1. If the ciphertext representative c is not between 0 and n-1,
   output "ciphertext representative out of range" and stop.

   2. If the first form (n, d) of K is used:

   2.1 Let m = c^d mod n.          Else, if the second form (p, q, dP,
   dQ, qInv) of K is used:

   2.2 Let m_1 = c^dP mod p.

   2.3 Let m_2 = c^dQ mod q.

   2.4 Let h = qInv ( m_1 - m_2 ) mod p.

   2.5 Let m = m_2 + hq.

   3. Output m.








Kaliski & Staddon            Informational                      [Page 9]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


5.2 Signature and verification primitives

   A signature primitive produces a signature representative from a
   message representative under the control of a private key, and a
   verification primitive recovers the message representative from the
   signature representative under the control of the corresponding
   public key. One pair of signature and verification primitives is
   employed in the signature schemes defined in this document and is
   specified here: RSASP1/RSAVP1.

   The primitives defined here are the same as in the draft IEEE P1363
   and are compatible with PKCS #1 v1.5.

   The main mathematical operation in each primitive is exponentiation,
   as in the encryption and decryption primitives of Section 5.1. RSASP1
   and RSAVP1 are the same as RSADP and RSAEP except for the names of
   their input and output arguments; they are distinguished as they are
   intended for different purposes.

5.2.1 RSASP1

   RSASP1 (K, m)

   Input:
   K             RSA private key, where K has one of the following
                 forms:
                    -a pair (n, d)
                    -a quintuple (p, q, dP, dQ, qInv)

   m             message representative, an integer between 0 and n-1

   Output:
   s             signature representative, an integer between  0 and
                 n-1, or "message representative out of range"

   Assumptions:
   private key K is valid

   Steps:

   1. If the message representative m is not between 0 and n-1, output
   "message representative out of range" and stop.

   2. If the first form (n, d) of K is used:

   2.1 Let s = m^d mod n.          Else, if the second form (p, q, dP,
   dQ, qInv) of K is used:




Kaliski & Staddon            Informational                     [Page 10]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   2.2 Let s_1 = m^dP mod p.

   2.3 Let s_2 = m^dQ mod q.

   2.4 Let h = qInv ( s_1 - s_2 ) mod p.

   2.5 Let s = s_2 + hq.

   3. Output S.

5.2.2 RSAVP1

   RSAVP1 ((n, e), s)

   Input:
   (n, e)  RSA public key
   s       signature representative, an integer between 0 and n-1

   Output:
   m       message representative, an integer between 0 and n-1;
           or "invalid"

   Assumptions:
   public key (n, e) is valid

   Steps:

   1. If the signature representative s is not between 0 and n-1, output
   "invalid" and stop.

   2. Let m = s^e mod n.

   3. Output m.

6. Overview of schemes

   A scheme combines cryptographic primitives and other techniques to
   achieve a particular security goal. Two types of scheme are specified
   in this document: encryption schemes and signature schemes with
   appendix.

   The schemes specified in this document are limited in scope in that
   their operations consist only of steps to process data with a key,
   and do not include steps for obtaining or validating the key. Thus,
   in addition to the scheme operations, an application will typically
   include key management operations by which parties may select public
   and private keys for a scheme operation. The specific additional
   operations and other details are outside the scope of this document.



Kaliski & Staddon            Informational                     [Page 11]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   As was the case for the cryptographic primitives (Section 5), the
   specifications of scheme operations assume that certain conditions
   are met by the inputs, in particular that public and private keys are
   valid. The behavior of an implementation is thus unspecified when a
   key is invalid. The impact of such unspecified behavior depends on
   the application. Possible means of addressing key validation include
   explicit key validation by the application; key validation within the
   public-key infrastructure; and assignment of liability for operations
   performed with an invalid key to the party who generated the key.

7. Encryption schemes

   An encryption scheme consists of an encryption operation and a
   decryption operation, where the encryption operation produces a
   ciphertext from a message with a recipient's public key, and the
   decryption operation recovers the message from the ciphertext with
   the recipient's corresponding private key.

   An encryption scheme can be employed in a variety of applications. A
   typical application is a key establishment protocol, where the
   message contains key material to be delivered confidentially from one
   party to another. For instance, PKCS #7 [21] employs such a protocol
   to deliver a content-encryption key from a sender to a recipient; the
   encryption schemes defined here would be suitable key-encryption
   algorithms in that context.

   Two encryption schemes are specified in this document: RSAES-OAEP and
   RSAES-PKCS1-v1_5. RSAES-OAEP is recommended for new applications;
   RSAES-PKCS1-v1_5 is included only for compatibility with existing
   applications, and is not recommended for new applications.

   The encryption schemes given here follow a general model similar to
   that employed in IEEE P1363, by combining encryption and decryption
   primitives with an encoding method for encryption. The encryption
   operations apply a message encoding operation to a message to produce
   an encoded message, which is then converted to an integer message
   representative. An encryption primitive is applied to the message
   representative to produce the ciphertext. Reversing this, the
   decryption operations apply a decryption primitive to the ciphertext
   to recover a message representative, which is then converted to an
   octet string encoded message. A message decoding operation is applied
   to the encoded message to recover the message and verify the
   correctness of the decryption.








Kaliski & Staddon            Informational                     [Page 12]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


7.1 RSAES-OAEP

   RSAES-OAEP combines the RSAEP and RSADP primitives (Sections 5.1.1
   and 5.1.2) with the EME-OAEP encoding method (Section 9.1.1) EME-OAEP
   is based on the method found in [2]. It is compatible with the IFES
   scheme defined in the draft P1363 where the encryption and decryption
   primitives are IFEP-RSA and IFDP-RSA and the message encoding method
   is EME-OAEP. RSAES-OAEP can operate on messages of length up to k-2-
   2hLen octets, where hLen is the length of the hash function output
   for EME-OAEP and k is the length in octets of the recipient's RSA
   modulus.  Assuming that the hash function in EME-OAEP has appropriate
   properties, and the key size is sufficiently large, RSAEP-OAEP
   provides "plaintext-aware encryption," meaning that it is
   computationally infeasible to obtain full or partial information
   about a message from a ciphertext, and computationally infeasible to
   generate a valid ciphertext without knowing the corresponding
   message.  Therefore, a chosen-ciphertext attack is ineffective
   against a plaintext-aware encryption scheme such as RSAES-OAEP.

   Both the encryption and the decryption operations of RSAES-OAEP take
   the value of the parameter string P as input. In this version of PKCS
   #1, P is an octet string that is specified explicitly. See Section
   11.2.1 for the relevant ASN.1 syntax. We briefly note that to receive
   the full security benefit of RSAES-OAEP, it should not be used in a
   protocol involving RSAES-PKCS1-v1_5. It is possible that in a
   protocol on which both encryption schemes are present, an adaptive
   chosen ciphertext attack such as [4] would be useful.

   Both the encryption and the decryption operations of RSAES-OAEP take
   the value of the parameter string P as input. In this version of PKCS
   #1, P is an octet string that is specified explicitly. See Section
   11.2.1 for the relevant ASN.1 syntax.

7.1.1 Encryption operation

   RSAES-OAEP-ENCRYPT ((n, e), M, P)

   Input:
   (n, e)    recipient's RSA public key

   M         message to be encrypted, an octet string of length at
             most k-2-2hLen, where k is the length in octets of the
             modulus n and hLen is the length in octets of the hash
             function output for EME-OAEP

   P         encoding parameters, an octet string that may be empty





Kaliski & Staddon            Informational                     [Page 13]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   Output:
   C         ciphertext, an octet string of length k; or "message too
             long"

   Assumptions: public key (n, e) is valid