rfc1423.txt

RFC 的详细文档！

   identifies this algorithm.  When this object identifier is used with
   the ASN.1 type AlgorithmIdentifier, the parameters component of that
   type is the ASN.1 type NULL.

   The RSA-MD5 message digest algorithm accepts as input a message of
   any length and produces as output a 16-octet quantity.  When
   symmetric key management is employed, an RSA-MD5 MIC is encrypted by
   splitting the MIC into two 8-octet halves, independently encrypting
   each half, and concatenating the results.

   When symmetric key management is employed with this MIC algorithm,
   the symmetrically encrypted MD5 message digest is represented in the
   fourth argument of a "Key-Info:" header field as a contiguous string
   of 32 ASCII hexadecimal digits (corresponding to a 128-bit MD5



Balenson                                                        [Page 5]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   message digest).

   To avoid any potential ambiguity regarding the ordering of the octets
   of a MD5 message digest that is input as an RSA data value to the RSA
   encryption process, the following holds true.  The first (or left-
   most displayed, if one thinks in terms of a digest's "print"
   representation) octet of the digest (i.e., the low-order octet of A
   as specified in RFC 1321), when considered as an RSA data value, has
   numerical weight 2**120.  The last (or right-most displayed) octet
   (i.e., the high-order octet of D as specified in RFC 1321) has
   numerical weight 2**0.

3.  Symmetric Key Management Algorithms

   This section identifies the alternative algorithms and modes that
   shall be used when symmetric key management is employed, to encrypt
   data encryption keys (DEKs) and message integrity check (MIC) values.
   Character string identifiers are assigned for incorporation in
   encapsulated "Key-Info:" header fields to indicate the choice of
   algorithm employed.

   All alternatives presently defined in this category correspond to
   different usage modes of the DES algorithm, rather than to other
   algorithms.

   When symmetric key management is employed, the symmetrically
   encrypted DEK and MIC, carried in the third and fourth arguments of a
   "Key-Info:" header field, respectively, are each represented as a
   string of contiguous ASCII hexadecimal digits.  The manner in which
   to use the following symmetric encryption algorithms and the length
   of the symmetrically encrypted DEK and MIC may vary depending on the
   length of the underlying DEK and MIC.  Section 1, Message Encryption
   Algorithms, and Section 2, Message Integrity Check Algorithms,
   provide information on the proper manner in which a DEK and MIC,
   respectively, are symmetrically encrypted when the size of the DEK or
   MIC is not equal to the symmetric encryption algorithm's input block
   size.  These sections also provide information on the proper format
   and length of the symmetrically encrypted DEK and MIC, respectively.

3.1  DES in ECB Mode (DES-ECB)

   The DES algorithm in Electronic Codebook (ECB) mode [1][3] is used
   for DEK and MIC encryption when symmetric key management is employed.
   The character string "DES-ECB" within an encapsulated PEM header
   field indicates use of this algorithm/mode combination.

   A compliant PEM implementation supporting symmetric key management
   shall support this algorithm/mode combination.



Balenson                                                        [Page 6]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


3.2  DES in EDE Mode (DES-EDE)

   The DES algorithm in Encrypt-Decrypt-Encrypt (EDE) multiple
   encryption mode, as defined by ANSI X9.17 [6] for encryption and
   decryption with pairs of 64-bit keys, may be used for DEK and MIC
   encryption when symmetric key management is employed.  The character
   string "DES-EDE" within an encapsulated a PEM header field indicates
   use of this algorithm/mode combination.

   A compliant PEM implementation supporting symmetric key management
   may optionally support this algorithm/mode combination.

4.  Asymmetric Key Management Algorithms

   This section identifies the alternative asymmetric keys and the
   alternative asymmetric key management algorithms with which those
   keys shall be used, namely the asymmetric encryption algorithms with
   which DEKs and MICs are encrypted, and the asymmetric signature
   algorithms with which certificates and certificate revocation lists
   (CRLs) are signed.

4.1  Asymmetric Keys

   This section describes the asymmetric keys that shall be used with
   the asymmetric encryption algorithms and the signature algorithms
   described later.  ASN.1 object identifiers are identified for
   incorporation in a public-key certificate to identify the
   algorithm(s) with which the accompanying public key is to be
   employed.

4.1.1  RSA Keys

   An RSA asymmetric key pair is comprised of matching public and
   private keys.

   An RSA public key consists of an encryption exponent e and an
   arithmetic modulus n, which are both public quantities typically
   carried in a public-key certificate.  For the value of e, Annex C to
   X.509 suggests the use of Fermat's Number F4 (65537 decimal, or
   1+2**16) as a value "common to the whole environment in order to
   reduce transmission capacity and complexity of transformation", i.e.,
   the value can be transmitted as 3 octets and at most seventeen (17)
   multiplications are required to effect exponentiation.  As an
   alternative, the number three (3) can be employed as the value for e,
   requiring even less octets for transmission and yielding even faster
   exponentiation.  For purposes of PEM, the value of e shall be either
   F4 or the number three (3).  The use of the number three (3) for the
   value of e is encouraged, to permit rapid certificate validation.



Balenson                                                        [Page 7]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   An RSA private key consists of a decryption exponent d, which should
   be kept secret, and the arithmetic modulus n.  Other values may be
   stored with a private key to facilitate efficient private key
   operations (see PKCS #1 [11]).

   For purposes of PEM, the modulus n may vary in size from 508 to 1024
   bits.

   Two ASN.1 object identifiers have been defined to identify RSA public
   keys.  In Annex H of X.509 [8], the object identifier

     rsa OBJECT IDENTIFIER ::= {
         joint-iso-ccitt(2) ds(5) algorithm(8)
         encryptionAlgorithm(1) 1
     }

   is defined to identify an RSA public key.  A single parameter,
   KeySize, the length of the public key modulus in bits, is defined for
   use in conjunction with this object identifier.  When this object
   identifier is used with the ASN.1 type AlgorithmIdentifier, the
   parameters component of that type is the number of bits in the
   modulus, ASN.1 encoded as an INTEGER.

   Alternatively, in PKCS #1 [11], the ASN.1 object identifier

     rsaEncryption OBJECT IDENTIFIER ::= {
         iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1)
         pkcs-1(1) 1
     }

   is defined to identify both an RSA public key and the RSAEncryption
   process.  There are no parameters defined in conjunction with this
   object identifier, hence, when it is used with the ASN.1 type
   AlgorithmIdentifier, the parameters component of that type is the
   ASN.1 type NULL.

   A compliant PEM implementation may optionally generate an RSA
   public-key certificate that identifies the enclosed RSA public key
   (within the SubjectPublicKeyInformation component) with either the
   "rsa" or the "rsaEncryption" object identifier.  Use of the "rsa"
   object identifier is encouraged, since it is, in some sense, more
   generic in its identification of a key, without indicating how the
   key will be used.  However, to facilitate interoperability, a
   compliant PEM implementation shall accept RSA public-key certificates
   that identify the enclosed RSA public key with either the "rsa" or
   the "rsaEncryption" object identifier.  In all cases, an RSA public
   key identified in an RSA public-key certificate with either the "rsa"
   or "rsaEncryption" object identifier, shall be used according to the



Balenson                                                        [Page 8]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   procedures defined below for asymmetric encryption algorithms and
   asymmetric signature algorithms.

4.2  Asymmetric Encryption Algorithms

   This section identifies the alternative algorithms that shall be used
   when asymmetric key management is employed, to encrypt DEKs and MICs.
   Character string identifiers are assigned for incorporation in "MIC-
   Info:" and "Key-Info:" header fields to indicate the choice of
   algorithm employed.

   Only one alternative is presently defined in this category.

4.2.1  RSAEncryption

   The RSAEncryption public-key encryption algorithm, defined in PKCS #1
   [11], is used for DEK and MIC encryption when asymmetric key
   management is employed.  The character string "RSA" within a "MIC-
   Info:" or "Key-Info:" header field indicates the use of this
   algorithm.

   All PEM implementations supporting asymmetric key management shall
   support this algorithm.

   As described in PKCS #1, all quantities input as data values to the
   RSAEncryption process shall be properly justified and padded to the
   length of the modulus prior to the encryption process.  In general,
   an RSAEncryption input value is formed by concatenating a leading
   NULL octet, a block type BT, a padding string PS, a NULL octet, and
   the data quantity D, that is,

     RSA input value = 0x00 || BT || PS || 0x00 || D.

   To prepare a DEK for RSAEncryption, the PKCS #1 "block type 02"
   encryption-block formatting scheme is employed.  The block type BT is
   a single octet containing the value 0x02 and the padding string PS is
   one or more octets (enough octets to make the length of the complete
   RSA input value equal to the length of the modulus) each containing a
   pseudorandomly generated, non-zero value.  For multiple recipient
   messages, a different, pseudorandom padding string should be used for
   each recipient.  The data quantity D is the DEK itself, which is
   right-justified within the RSA input such that the last (or rightmost
   displayed, if one thinks in terms of the "print" representation)
   octet of the DEK is aligned with the right-most, or least-
   significant, octet of the RSA input.  Proceeding to the left, each of
   the remaining octets of the DEK, up through the first (or left-most
   displayed) octet, are each aligned in the next more significant octet
   of the RSA input.



Balenson                                                        [Page 9]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   To prepare a MIC for RSAEncryption, the PKCS #1 "block type 01"
   encryption-block formatting scheme is employed.  The block type BT is
   a single octet containing the value 0x01 and the padding string PS is
   one or more octets (enough octets to make the length of the complete
   RSA input value equal to the length of the modulus) each containing
   the value 0xFF.  The data quantity D is comprised of the MIC and the
   MIC algorithm identifier which are ASN.1 encoded as the following
   sequence.

     SEQUENCE {
         digestAlgorithm   AlgorithmIdentifier,
         digest            OCTET STRING
     }

   The ASN.1 type AlgorithmIdentifier is defined in X.509 as follows.