📄 rfc2437.txt
字号:
5. Concatenate PS, the DER encoding T, and other padding to form the
encoded message EM as: EM = 01 || PS || 00 || T
6. Output EM.
10. Auxiliary Functions
This section specifies the hash functions and the mask generation
functions that are mentioned in the encoding methods (Section 9).
10.1 Hash Functions
Hash functions are used in the operations contained in Sections 7, 8
and 9. Hash functions are deterministic, meaning that the output is
completely determined by the input. Hash functions take octet strings
of variable length, and generate fixed length octet strings. The hash
functions used in the operations contained in Sections 7, 8 and 9
should be collision resistant. This means that it is infeasible to
find two distinct inputs to the hash function that produce the same
output. A collision resistant hash function also has the desirable
property of being one-way; this means that given an output, it is
infeasible to find an input whose hash is the specified output. The
property of collision resistance is especially desirable for RSASSA-
PKCS1-v1_5, as it makes it infeasible to forge signatures. In
addition to the requirements, the hash function should yield a mask
generation function (Section 10.2) with pseudorandom output.
Kaliski & Staddon Informational [Page 27]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
Three hash functions are recommended for the encoding methods in this
document: MD2 [15], MD5 [17], and SHA-1 [16]. For the EME-OAEP
encoding method, only SHA-1 is recommended. For the EMSA-PKCS1-v1_5
encoding method, SHA-1 is recommended for new applications. MD2 and
MD5 are recommended only for compatibility with existing applications
based on PKCS #1 v1.5.
The hash functions themselves are not defined here; readers are
referred to the appropriate references ([15], [17] and [16]).
Note. Version 1.5 of this document also allowed for the use of MD4 in
signature schemes. The cryptanalysis of MD4 has progressed
significantly in the intervening years. For example, Dobbertin [10]
demonstrated how to find collisions for MD4 and that the first two
rounds of MD4 are not one-way [11]. Because of these results and
others (e.g. [9]), MD4 is no longer recommended. There have also been
advances in the cryptanalysis of MD2 and MD5, although not enough to
warrant removal from existing applications. Rogier and Chauvaud [19]
demonstrated how to find collisions in a modified version of MD2. No
one has demonstrated how to find collisions for the full MD5
algorithm, although partial results have been found (e.g. [8]). For
new applications, to address these concerns, SHA-1 is preferred.
10.2 Mask Generation Functions
A mask generation function takes an octet string of variable length
and a desired output length as input, and outputs an octet string of
the desired length. There may be restrictions on the length of the
input and output octet strings, but such bounds are generally very
large. Mask generation functions are deterministic; the octet string
output is completely determined by the input octet string. The output
of a mask generation function should be pseudorandom, that is, if the
seed to the function is unknown, it should be infeasible to
distinguish the output from a truly random string. The plaintext-
awareness of RSAES-OAEP relies on the random nature of the output of
the mask generation function, which in turn relies on the random
nature of the underlying hash.
One mask generation function is recommended for the encoding methods
in this document, and is defined here: MGF1, which is based on a hash
function. Future versions of this document may define other mask
generation functions.
10.2.1 MGF1
MGF1 is a Mask Generation Function based on a hash function.
MGF1 (Z, l)
Kaliski & Staddon Informational [Page 28]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
Options:
Hash hash function (hLen denotes the length in octets of the hash
function output)
Input:
Z seed from which mask is generated, an octet string
l intended length in octets of the mask, at most 2^32(hLen)
Output:
mask mask, an octet string of length l; or "mask too long"
Steps:
1.If l > 2^32(hLen), output "mask too long" and stop.
2.Let T be the empty octet string.
3.For counter from 0 to \lceil{l / hLen}\rceil-1, do the following:
a.Convert counter to an octet string C of length 4 with the primitive
I2OSP: C = I2OSP (counter, 4)
b.Concatenate the hash of the seed Z and C to the octet string T: T =
T || Hash (Z || C)
4.Output the leading l octets of T as the octet string mask.
11. ASN.1 syntax
11.1 Key representation
This section defines ASN.1 object identifiers for RSA public and
private keys, and defines the types RSAPublicKey and RSAPrivateKey.
The intended application of these definitions includes X.509
certificates, PKCS #8 [22], and PKCS #12 [23].
The object identifier rsaEncryption identifies RSA public and private
keys as defined in Sections 11.1.1 and 11.1.2. The parameters field
associated with this OID in an AlgorithmIdentifier shall have type
NULL.
rsaEncryption OBJECT IDENTIFIER ::= {pkcs-1 1}
All of the definitions in this section are the same as in PKCS #1
v1.5.
Kaliski & Staddon Informational [Page 29]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
11.1.1 Public-key syntax
An RSA public key should be represented with the ASN.1 type
RSAPublicKey:
RSAPublicKey::=SEQUENCE{
modulus INTEGER, -- n
publicExponent INTEGER -- e }
(This type is specified in X.509 and is retained here for
compatibility.)
The fields of type RSAPublicKey have the following meanings:
-modulus is the modulus n.
-publicExponent is the public exponent e.
11.1.2 Private-key syntax
An RSA private key should be represented with ASN.1 type
RSAPrivateKey:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER -- (inverse of q) mod p }
Version ::= INTEGER
The fields of type RSAPrivateKey have the following meanings:
-version is the version number, for compatibility with future
revisions of this document. It shall be 0 for this version of the
document.
-modulus is the modulus n.
-publicExponent is the public exponent e.
-privateExponent is the private exponent d.
-prime1 is the prime factor p of n.
-prime2 is the prime factor q of n.
-exponent1 is d mod (p-1).
-exponent2 is d mod (q-1).
-coefficient is the Chinese Remainder Theorem coefficient q-1 mod p.
Kaliski & Staddon Informational [Page 30]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
11.2 Scheme identification
This section defines object identifiers for the encryption and
signature schemes. The schemes compatible with PKCS #1 v1.5 have the
same definitions as in PKCS #1 v1.5. The intended application of
these definitions includes X.509 certificates and PKCS #7.
11.2.1 Syntax for RSAES-OAEP
The object identifier id-RSAES-OAEP identifies the RSAES-OAEP
encryption scheme.
id-RSAES-OAEP OBJECT IDENTIFIER ::= {pkcs-1 7}
The parameters field associated with this OID in an
AlgorithmIdentifier shall have type RSAEP-OAEP-params:
RSAES-OAEP-params ::= SEQUENCE {
hashFunc [0] AlgorithmIdentifier {{oaepDigestAlgorithms}}
DEFAULT sha1Identifier,
maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}}
DEFAULT mgf1SHA1Identifier,
pSourceFunc [2] AlgorithmIdentifier
{{pkcs1pSourceAlgorithms}}
DEFAULT pSpecifiedEmptyIdentifier }
The fields of type RSAES-OAEP-params have the following meanings:
-hashFunc identifies the hash function. It shall be an algorithm ID
with an OID in the set oaepDigestAlgorithms, which for this version
shall consist of id-sha1, identifying the SHA-1 hash function. The
parameters field for id-sha1 shall have type NULL.
oaepDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
{NULL IDENTIFIED BY id-sha1} }
id-sha1 OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) oiw(14) secsig(3)
algorithms(2) 26}
The default hash function is SHA-1:
sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL}
-maskGenFunc identifies the mask generation function. It shall be an
algorithm ID with an OID in the set pkcs1MGFAlgorithms, which for
this version shall consist of id-mgf1, identifying the MGF1 mask
generation function (see Section 10.2.1). The parameters field for
Kaliski & Staddon Informational [Page 31]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
id-mgf1 shall have type AlgorithmIdentifier, identifying the hash
function on which MGF1 is based, where the OID for the hash function
shall be in the set oaepDigestAlgorithms.
pkcs1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
{AlgorithmIdentifier {{oaepDigestAlgorithms}} IDENTIFIED
BY id-mgf1} }
id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8}
The default mask generation function is MGF1 with SHA-1:
mgf1SHA1Identifier ::= AlgorithmIdentifier {
id-mgf1, sha1Identifier }
-pSourceFunc identifies the source (and possibly the value) of the
encoding parameters P. It shall be an algorithm ID with an OID in the
set pkcs1pSourceAlgorithms, which for this version shall consist of
id-pSpecified, indicating that the encoding parameters are specified
explicitly. The parameters field for id-pSpecified shall have type
OCTET STRING, containing the encoding parameters.
pkcs1pSourceAlgorithms ALGORITHM-IDENTIFIER ::= {
{OCTET STRING IDENTIFIED BY id-pSpecified} }
id-pSpecified OBJECT IDENTIFIER ::= {pkcs-1 9}
The default encoding parameters is an empty string (so that pHash in
EME-OAEP will contain the hash of the empty string):
pSpecifiedEmptyIdentifier ::= AlgorithmIdentifier {
id-pSpecified, OCTET STRING SIZE (0) }
If all of the default values of the fields in RSAES-OAEP-params are
used, then the algorithm identifier will have the following value:
RSAES-OAEP-Default-Identifier ::= AlgorithmIdentifier {
id-RSAES-OAEP,
{sha1Identifier,
mgf1SHA1Identifier,
pSpecifiedEmptyIdentifier } }
11.2.2 Syntax for RSAES-PKCS1-v1_5
The object identifier rsaEncryption (Section 11.1) identifies the
RSAES-PKCS1-v1_5 encryption scheme. The parameters field associated
with this OID in an AlgorithmIdentifier shall have type NULL. This is
the same as in PKCS #1 v1.5.
Kaliski & Staddon Informational [Page 32]
RFC 2437 PKCS #1: RSA Cryptography Specifications October 1998
RsaEncryption OBJECT IDENTIFIER ::= {PKCS-1 1}
11.2.3 Syntax for RSASSA-PKCS1-v1_5
The object identifier for RSASSA-PKCS1-v1_5 shall be one of the
following. The choice of OID depends on the choice of hash algorithm:
MD2, MD5 or SHA-1. Note that if either MD2 or MD5 is used then the
OID is just as in PKCS #1 v1.5. For each OID, the parameters field
associated with this OID in an AlgorithmIdentifier shall have type
NULL.
If the hash function to be used is MD2, then the OID should be:
md2WithRSAEncryption ::= {PKCS-1 2}
If the hash function to be used is MD5, then the OID should be:
md5WithRSAEncryption ::= {PKCS-1 4}
If the hash function to be used is SHA-1, then the OID should be:
sha1WithRSAEncryption ::= {pkcs-1 5}
In the digestInfo type mentioned in Section 9.2.1 the OIDS for the
digest algorithm are the following:
id-SHA1 OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) oiw(14) secsig(3)
algorithms(2) 26 }
md2 OBJECT IDENTIFIER ::=
{iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 2}
md5 OBJECT IDENTIFIER ::=
{iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 5}
The parameters field of the digest algorithm has ASN.1 type NULL for
these OIDs.
12. Patent statement
The Internet Standards Process as defined in RFC 1310 requires a
written statement from the Patent holder that a license will be made
available to applicants under reasonable terms and conditions prior
to approving a specification as a Proposed, Draft or Internet
Standard.
Kaliski & Staddon Informational [⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -