📄 rfc2437.txt
字号:
signature representative s: s = RSASP1 (K, m)
4. Convert the signature representative s to a signature S of length
k octets: S = I2OSP (s, k)
5. Output the signature S.
Kaliski & Staddon Informational [Page 20]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
8.1.2 Signature verification operation
RSASSA-PKCS1-V1_5-VERIFY ((n, e), M, S)
Input:
(n, e) signer's RSA public key
M message whose signature is to be verified, an octet string
S signature to be verified, an octet string of length k,
where k is the length in octets of the modulus n
Output: "valid signature," "invalid signature," or "message too
long", or "modulus too short"
Steps:
1. If the length of the signature S is not k octets, output "invalid
signature" and stop.
2. Convert the signature S to an integer signature representative s:
s = OS2IP (S)
3. Apply the RSAVP1 verification primitive (Section 5.2.2) to the
public key (n, e) and the signature representative s to produce an
integer message representative m:
m = RSAVP1 ((n, e), s) If RSAVP1 outputs "invalid"
then output "invalid signature" and stop.
4. Convert the message representative m to an encoded message EM of
length k-1 octets: EM = I2OSP (m, k-1)
If I2OSP outputs "integer too large," then output "invalid signature"
and stop.
5. Apply the EMSA-PKCS1-v1_5 encoding operation (Section 9.2.1) to
the message M to produce a second encoded message EM' of length k-1
octets:
EM' = EMSA-PKCS1-V1_5-ENCODE (M, k-1)
If the encoding operation outputs "message too long," then output
"message too long" and stop. If the encoding operation outputs
"intended encoded message length too short" then output "modulus too
short".
Kaliski & Staddon Informational [Page 21]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
6. Compare the encoded message EM and the second encoded message EM'.
If they are the same, output "valid signature"; otherwise, output
"invalid signature."
9. Encoding methods
Encoding methods consist of operations that map between octet string
messages and integer message representatives.
Two types of encoding method are considered in this document:
encoding methods for encryption, encoding methods for signatures with
appendix.
9.1 Encoding methods for encryption
An encoding method for encryption consists of an encoding operation
and a decoding operation. An encoding operation maps a message M to a
message representative EM of a specified length; the decoding
operation maps a message representative EM back to a message. The
encoding and decoding operations are inverses.
The message representative EM will typically have some structure that
can be verified by the decoding operation; the decoding operation
will output "decoding error" if the structure is not present. The
encoding operation may also introduce some randomness, so that
different applications of the encoding operation to the same message
will produce different representatives.
Two encoding methods for encryption are employed in the encryption
schemes and are specified here: EME-OAEP and EME-PKCS1-v1_5.
9.1.1 EME-OAEP
This encoding method is parameterized by the choice of hash function
and mask generation function. Suggested hash and mask generation
functions are given in Section 10. This encoding method is based on
the method found in [2].
9.1.1.1 Encoding operation
EME-OAEP-ENCODE (M, P, emLen)
Options:
Hash hash function (hLen denotes the length in octet of the
hash function output)
MGF mask generation function
Kaliski & Staddon Informational [Page 22]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
Input:
M message to be encoded, an octet string of length at most
emLen-1-2hLen
P encoding parameters, an octet string
emLen intended length in octets of the encoded message, at least
2hLen+1
Output:
EM encoded message, an octet string of length emLen;
"message too long" or "parameter string too long"
Steps:
1. If the length of P is greater than the input limitation for the
hash function (2^61-1 octets for SHA-1) then output "parameter string
too long" and stop.
2. If ||M|| > emLen-2hLen-1 then output "message too long" and stop.
3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero
octets. The length of PS may be 0.
4. Let pHash = Hash(P), an octet string of length hLen.
5. Concatenate pHash, PS, the message M, and other padding to form a
data block DB as: DB = pHash || PS || 01 || M
6. Generate a random octet string seed of length hLen.
7. Let dbMask = MGF(seed, emLen-hLen).
8. Let maskedDB = DB \xor dbMask.
9. Let seedMask = MGF(maskedDB, hLen).
10. Let maskedSeed = seed \xor seedMask.
11. Let EM = maskedSeed || maskedDB.
12. Output EM.
9.1.1.2 Decoding operation EME-OAEP-DECODE (EM, P)
Options:
Hash hash function (hLen denotes the length in octet of the hash
function output)
MGF mask generation function
Kaliski & Staddon Informational [Page 23]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
Input:
EM encoded message, an octet string of length at least 2hLen+1
P encoding parameters, an octet string
Output:
M recovered message, an octet string of length at most
||EM||-1-2hLen; or "decoding error"
Steps:
1. If the length of P is greater than the input limitation for the
hash function (2^61-1 octets for SHA-1) then output "parameter string
too long" and stop.
2. If ||EM|| < 2hLen+1, then output "decoding error" and stop.
3. Let maskedSeed be the first hLen octets of EM and let maskedDB be
the remaining ||EM|| - hLen octets.
4. Let seedMask = MGF(maskedDB, hLen).
5. Let seed = maskedSeed \xor seedMask.
6. Let dbMask = MGF(seed, ||EM|| - hLen).
7. Let DB = maskedDB \xor dbMask.
8. Let pHash = Hash(P), an octet string of length hLen.
9. Separate DB into an octet string pHash' consisting of the first
hLen octets of DB, a (possibly empty) octet string PS consisting of
consecutive zero octets following pHash', and a message M as:
DB = pHash' || PS || 01 || M
If there is no 01 octet to separate PS from M, output "decoding
error" and stop.
10. If pHash' does not equal pHash, output "decoding error" and stop.
11. Output M.
9.1.2 EME-PKCS1-v1_5
This encoding method is the same as in PKCS #1 v1.5, Section 8:
Encryption Process.
Kaliski & Staddon Informational [Page 24]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
9.1.2.1 Encoding operation
EME-PKCS1-V1_5-ENCODE (M, emLen)
Input:
M message to be encoded, an octet string of length at most
emLen-10
emLen intended length in octets of the encoded message
Output:
EM encoded message, an octet string of length emLen; or
"message too long"
Steps:
1. If the length of the message M is greater than emLen - 10 octets,
output "message too long" and stop.
2. Generate an octet string PS of length emLen-||M||-2 consisting of
pseudorandomly generated nonzero octets. The length of PS will be at
least 8 octets.
3. Concatenate PS, the message M, and other padding to form the
encoded message EM as:
EM = 02 || PS || 00 || M
4. Output EM.
9.1.2.2 Decoding operation
EME-PKCS1-V1_5-DECODE (EM)
Input:
EM encoded message, an octet string of length at least 10
Output:
M recovered message, an octet string of length at most
||EM||-10; or "decoding error"
Steps:
1. If the length of the encoded message EM is less than 10, output
"decoding error" and stop.
2. Separate the encoded message EM into an octet string PS consisting
of nonzero octets and a message M as: EM = 02 || PS || 00 || M.
Kaliski & Staddon Informational [Page 25]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
If the first octet of EM is not 02, or if there is no 00 octet to
separate PS from M, output "decoding error" and stop.
3. If the length of PS is less than 8 octets, output "decoding error"
and stop.
4. Output M.
9.2 Encoding methods for signatures with appendix
An encoding method for signatures with appendix, for the purposes of
this document, consists of an encoding operation. An encoding
operation maps a message M to a message representative EM of a
specified length. (In future versions of this document, encoding
methods may be added that also include a decoding operation.)
One encoding method for signatures with appendix is employed in the
encryption schemes and is specified here: EMSA-PKCS1-v1_5.
9.2.1 EMSA-PKCS1-v1_5
This encoding method only has an encoding operation.
EMSA-PKCS1-v1_5-ENCODE (M, emLen)
Option:
Hash hash function (hLen denotes the length in octet of the hash
function output)
Input:
M message to be encoded
emLen intended length in octets of the encoded message, at least
||T|| + 10, where T is the DER encoding of a certain value
computed during the encoding operation
Output:
EM encoded message, an octet string of length emLen; or "message
too long" or "intended encoded message length too short"
Steps:
1. Apply the hash function to the message M to produce a hash value
H:
H = Hash(M).
If the hash function outputs "message too long," then output "message
too long".
Kaliski & Staddon Informational [Page 26]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
2. Encode the algorithm ID for the hash function and the hash value
into an ASN.1 value of type DigestInfo (see Section 11) with the
Distinguished Encoding Rules (DER), where the type DigestInfo has the
syntax
DigestInfo::=SEQUENCE{
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING }
The first field identifies the hash function and the second contains
the hash value. Let T be the DER encoding.
3. If emLen is less than ||T|| + 10 then output "intended encoded
message length too short".
4. Generate an octet string PS consisting of emLen-||T||-2 octets
with value FF (hexadecimal). The length of PS will be at least 8
octets.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -