rfc2437.txt

<VC++网络游戏建摸与实现>源代码

   Three hash functions are recommended for the encoding methods in this
   document: MD2 [15], MD5 [17], and SHA-1 [16]. For the EME-OAEP
   encoding method, only SHA-1 is recommended. For the EMSA-PKCS1-v1_5
   encoding method, SHA-1 is recommended for new applications. MD2 and
   MD5 are recommended only for compatibility with existing applications
   based on PKCS #1 v1.5.

   The hash functions themselves are not defined here; readers are
   referred to the appropriate references ([15], [17] and [16]).

   Note. Version 1.5 of this document also allowed for the use of MD4 in
   signature schemes. The cryptanalysis of MD4 has progressed
   significantly in the intervening years. For example, Dobbertin [10]
   demonstrated how to find collisions for MD4 and that the first two
   rounds of MD4 are not one-way [11]. Because of these results and
   others (e.g. [9]), MD4 is no longer recommended. There have also been
   advances in the cryptanalysis of MD2 and MD5, although not enough to
   warrant removal from existing applications. Rogier and Chauvaud [19]
   demonstrated how to find collisions in a modified version of MD2. No
   one has demonstrated how to find collisions for the full MD5
   algorithm, although partial results have been found (e.g. [8]). For
   new applications, to address these concerns, SHA-1 is preferred.

10.2 Mask Generation Functions

   A mask generation function takes an octet string of variable length
   and a desired output length as input, and outputs an octet string of
   the desired length. There may be restrictions on the length of the
   input and output octet strings, but such bounds are generally very
   large. Mask generation functions are deterministic; the octet string
   output is completely determined by the input octet string. The output
   of a mask generation function should be pseudorandom, that is, if the
   seed to the function is unknown, it should be infeasible to
   distinguish the output from a truly random string. The plaintext-
   awareness of RSAES-OAEP relies on the random nature of the output of
   the mask generation function, which in turn relies on the random
   nature of the underlying hash.

   One mask generation function is recommended for the encoding methods
   in this document, and is defined here: MGF1, which is based on a hash
   function. Future versions of this document may define other mask
   generation functions.

10.2.1 MGF1

   MGF1 is a Mask Generation Function based on a hash function.

   MGF1 (Z, l)



Kaliski & Staddon            Informational                     [Page 28]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   Options:
   Hash    hash function (hLen denotes the length in octets of the hash
           function output)

   Input:
   Z       seed from which mask is generated, an octet string
   l       intended length in octets of the mask, at most 2^32(hLen)

   Output:
   mask    mask, an octet string of length l; or "mask too long"

   Steps:

   1.If l > 2^32(hLen), output "mask too long" and stop.

   2.Let T  be the empty octet string.

   3.For counter from 0 to \lceil{l / hLen}\rceil-1, do the following:

   a.Convert counter to an octet string C of length 4 with the primitive
   I2OSP: C = I2OSP (counter, 4)

   b.Concatenate the hash of the seed Z and C to the octet string T: T =
   T || Hash (Z || C)

   4.Output the leading l octets of T as the octet string mask.

11. ASN.1 syntax

11.1 Key representation

   This section defines ASN.1 object identifiers for RSA public and
   private keys, and defines the types RSAPublicKey and RSAPrivateKey.
   The intended application of these definitions includes X.509
   certificates, PKCS #8 [22], and PKCS #12 [23].

   The object identifier rsaEncryption identifies RSA public and private
   keys as defined in Sections 11.1.1 and 11.1.2. The parameters field
   associated with this OID in an AlgorithmIdentifier shall have type
   NULL.

   rsaEncryption OBJECT IDENTIFIER ::= {pkcs-1 1}

   All of the definitions in this section are the same as in PKCS #1
   v1.5.






Kaliski & Staddon            Informational                     [Page 29]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


11.1.1 Public-key syntax

   An RSA public key should be represented with the ASN.1 type
   RSAPublicKey:

   RSAPublicKey::=SEQUENCE{
     modulus INTEGER, -- n
     publicExponent INTEGER -- e }

   (This type is specified in X.509 and is retained here for
   compatibility.)

   The fields of type RSAPublicKey have the following meanings:
   -modulus is the modulus n.
   -publicExponent is the public exponent e.

11.1.2 Private-key syntax

   An RSA private key should be represented with ASN.1 type
   RSAPrivateKey:

   RSAPrivateKey ::= SEQUENCE {
     version Version,
     modulus INTEGER, -- n
     publicExponent INTEGER, -- e
     privateExponent INTEGER, -- d
     prime1 INTEGER, -- p
     prime2 INTEGER, -- q
     exponent1 INTEGER, -- d mod (p-1)
     exponent2 INTEGER, -- d mod (q-1)
     coefficient INTEGER -- (inverse of q) mod p }

   Version ::= INTEGER

   The fields of type RSAPrivateKey have the following meanings:

   -version is the version number, for compatibility with future
   revisions of this document. It shall be 0 for this version of the
   document.
   -modulus is the modulus n.
   -publicExponent is the public exponent e.
   -privateExponent is the private exponent d.
   -prime1 is the prime factor p of n.
   -prime2 is the prime factor q of n.
   -exponent1 is d mod (p-1).
   -exponent2 is d mod (q-1).
   -coefficient is the Chinese Remainder Theorem coefficient q-1 mod p.




Kaliski & Staddon            Informational                     [Page 30]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


11.2 Scheme identification

   This section defines object identifiers for the encryption and
   signature schemes. The schemes compatible with PKCS #1 v1.5 have the
   same definitions as in PKCS #1 v1.5. The intended application of
   these definitions includes X.509 certificates and PKCS #7.

11.2.1 Syntax for RSAES-OAEP

   The object identifier id-RSAES-OAEP identifies the RSAES-OAEP
   encryption scheme.

   id-RSAES-OAEP OBJECT IDENTIFIER ::= {pkcs-1 7}

   The parameters field associated with this OID in an
   AlgorithmIdentifier shall have type RSAEP-OAEP-params:

   RSAES-OAEP-params ::=  SEQUENCE {
     hashFunc [0] AlgorithmIdentifier {{oaepDigestAlgorithms}}
       DEFAULT sha1Identifier,
     maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}}
       DEFAULT mgf1SHA1Identifier,
     pSourceFunc [2] AlgorithmIdentifier
       {{pkcs1pSourceAlgorithms}}
       DEFAULT pSpecifiedEmptyIdentifier }

   The fields of type RSAES-OAEP-params have the following meanings:

   -hashFunc identifies the hash function. It shall be an algorithm ID
   with an OID in the set oaepDigestAlgorithms, which for this version
   shall consist of id-sha1, identifying the SHA-1 hash function. The
   parameters field for id-sha1 shall have type NULL.

   oaepDigestAlgorithms ALGORITHM-IDENTIFIER ::= {
     {NULL IDENTIFIED BY id-sha1} }

   id-sha1 OBJECT IDENTIFIER ::=
     {iso(1) identified-organization(3) oiw(14) secsig(3)
       algorithms(2) 26}


   The default hash function is SHA-1:
   sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL}

   -maskGenFunc identifies the mask generation function. It shall be an
   algorithm ID with an OID in the set pkcs1MGFAlgorithms, which for
   this version shall consist of id-mgf1, identifying the MGF1 mask
   generation function (see Section 10.2.1). The parameters field for



Kaliski & Staddon            Informational                     [Page 31]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   id-mgf1 shall have type AlgorithmIdentifier, identifying the hash
   function on which MGF1 is based, where the OID for the hash function
   shall be in the set oaepDigestAlgorithms.

   pkcs1MGFAlgorithms ALGORITHM-IDENTIFIER ::= {
     {AlgorithmIdentifier {{oaepDigestAlgorithms}} IDENTIFIED
       BY id-mgf1} }

   id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8}

   The default mask generation function is MGF1 with SHA-1:

   mgf1SHA1Identifier ::= AlgorithmIdentifier {
     id-mgf1, sha1Identifier }

   -pSourceFunc identifies the source (and possibly the value) of the
   encoding parameters P. It shall be an algorithm ID with an OID in the
   set pkcs1pSourceAlgorithms, which for this version shall consist of
   id-pSpecified, indicating that the encoding parameters are specified
   explicitly. The parameters field for id-pSpecified shall have type
   OCTET STRING, containing the encoding parameters.

   pkcs1pSourceAlgorithms ALGORITHM-IDENTIFIER ::= {
     {OCTET STRING IDENTIFIED BY id-pSpecified} }

   id-pSpecified OBJECT IDENTIFIER ::= {pkcs-1 9}

   The default encoding parameters is an empty string (so that pHash in
   EME-OAEP will contain the hash of the empty string):

   pSpecifiedEmptyIdentifier ::= AlgorithmIdentifier {
     id-pSpecified, OCTET STRING SIZE (0) }

   If all of the default values of the fields in RSAES-OAEP-params are
   used, then the algorithm identifier will have the following value:

   RSAES-OAEP-Default-Identifier ::= AlgorithmIdentifier {
     id-RSAES-OAEP,
     {sha1Identifier,
      mgf1SHA1Identifier,
      pSpecifiedEmptyIdentifier } }

11.2.2 Syntax for RSAES-PKCS1-v1_5

   The object identifier rsaEncryption (Section 11.1) identifies the
   RSAES-PKCS1-v1_5 encryption scheme. The parameters field associated
   with this OID in an AlgorithmIdentifier shall have type NULL. This is
   the same as in PKCS #1 v1.5.



Kaliski & Staddon            Informational                     [Page 32]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   RsaEncryption   OBJECT IDENTIFIER ::= {PKCS-1 1}

11.2.3 Syntax for RSASSA-PKCS1-v1_5

   The object identifier for RSASSA-PKCS1-v1_5 shall be one of the
   following. The choice of OID depends on the choice of hash algorithm:
   MD2, MD5 or SHA-1. Note that if either MD2 or MD5 is used then the
   OID is just as in PKCS #1 v1.5. For each OID, the parameters field
   associated with this OID in an AlgorithmIdentifier shall have type
   NULL.

   If the hash function to be used is MD2, then the OID should be:

   md2WithRSAEncryption ::= {PKCS-1 2}

   If the hash function to be used is MD5, then the OID should be:

   md5WithRSAEncryption ::= {PKCS-1 4}

   If the hash function to be used is SHA-1, then the OID should be:

   sha1WithRSAEncryption ::= {pkcs-1 5}

   In the digestInfo type mentioned in Section 9.2.1 the OIDS for the
   digest algorithm are the following:

   id-SHA1 OBJECT IDENTIFIER ::=
           {iso(1) identified-organization(3) oiw(14) secsig(3)
            algorithms(2) 26 }

   md2 OBJECT IDENTIFIER ::=
           {iso(1) member-body(2) US(840) rsadsi(113549)
            digestAlgorithm(2) 2}

   md5 OBJECT IDENTIFIER ::=
           {iso(1) member-body(2) US(840) rsadsi(113549)
            digestAlgorithm(2) 5}

   The parameters field of the digest algorithm has ASN.1 type NULL for
   these OIDs.

12. Patent statement

   The Internet Standards Process as defined in RFC 1310 requires a
   written statement from the Patent holder that a license will be made
   available to applicants under reasonable terms and conditions prior
   to approving a specification as a Proposed, Draft or Internet
   Standard.



Kaliski & Staddon            Informational                     [Page 33]

RFC 2437        PKCS #1: RSA Cryptography Specifications    October 1998


   The Internet Society, Internet Architecture Board, Internet
   Engineering Steering Group and the Corporation for National Research
   Initiatives take no position on the validity or scope of the
   following patents and patent applications, nor on the appropriateness
   of the terms of the assurance. The Internet Society and other groups
   mentioned above have not made any determination as to any other
   intellectual property rights which may apply to the practice of this
   standard.  Any further consideration of these matters is the user's
   responsibility.

12.1 Patent statement for the RSA algorithm

   The Massachusetts Institute of Technology has granted RSA Data
   Security, Inc., exclusive sub-licensing rights to the following
   patent issued in the United States:

   Cryptographic Communications System and Method ("RSA"), No. 4,405,829

   RSA Data Security, Inc. has provided the following statement with
   regard to this patent:

   It is RSA's business practice to make licenses to its patents
   available on reasonable and nondiscriminatory terms. Accordingly, RSA
   is willing, upon request, to grant non-exclusive licenses to such
   patent on reasonable and non-discriminatory terms and conditions to
   those who respect RSA's intellectual property rights and subject to
   RSA's then current royalty rate for the patent licensed. The royalty
   rate for the RSA patent is presently set at 2% of the licensee's
   selling price for each product covered by the patent.  Any requests
   for license information may be directed to:

            Director of Licensing
            RSA Data Security, Inc.
            2955 Campus Drive
            Suite 400
            San Mateo, CA 94403

   A license under RSA's patent(s) doe