diff options
Diffstat (limited to 'doc/protocol/rfc2313.txt')
-rw-r--r-- | doc/protocol/rfc2313.txt | 1067 |
1 files changed, 0 insertions, 1067 deletions
diff --git a/doc/protocol/rfc2313.txt b/doc/protocol/rfc2313.txt deleted file mode 100644 index f9471eba6b..0000000000 --- a/doc/protocol/rfc2313.txt +++ /dev/null @@ -1,1067 +0,0 @@ - - - - - - -Network Working Group B. Kaliski -Request for Comments: 2313 RSA Laboratories East -Category: Informational March 1998 - - - PKCS #1: RSA Encryption - Version 1.5 - -Status of this Memo - - This memo provides information for the Internet community. It does - not specify an Internet standard of any kind. Distribution of this - memo is unlimited. - -Copyright Notice - - Copyright (C) The Internet Society (1998). All Rights Reserved. - -Overview - - This document describes a method for encrypting data using the RSA - public-key cryptosystem. - -1. Scope - - This document describes a method for encrypting data using the RSA - public-key cryptosystem. Its intended use is in the construction of - digital signatures and digital envelopes, as described in PKCS #7: - - o For digital signatures, the content to be signed - is first reduced to a message digest with a - message-digest algorithm (such as MD5), and then - an octet string containing the message digest is - encrypted with the RSA private key of the signer - of the content. The content and the encrypted - message digest are represented together according - to the syntax in PKCS #7 to yield a digital - signature. This application is compatible with - Privacy-Enhanced Mail (PEM) methods. - - o For digital envelopes, the content to be enveloped - is first encrypted under a content-encryption key - with a content-encryption algorithm (such as DES), - and then the content-encryption key is encrypted - with the RSA public keys of the recipients of the - content. The encrypted content and the encrypted - - - - - -Kaliski Informational [Page 1] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - content-encryption key are represented together - according to the syntax in PKCS #7 to yield a - digital envelope. This application is also - compatible with PEM methods. - - The document also describes a syntax for RSA public keys and private - keys. The public-key syntax would be used in certificates; the - private-key syntax would be used typically in PKCS #8 private-key - information. The public-key syntax is identical to that in both X.509 - and Privacy-Enhanced Mail. Thus X.509/PEM RSA keys can be used in - this document. - - The document also defines three signature algorithms for use in - signing X.509/PEM certificates and certificate-revocation lists, PKCS - #6 extended certificates, and other objects employing digital - signatures such as X.401 message tokens. - - Details on message-digest and content-encryption algorithms are - outside the scope of this document, as are details on sources of the - pseudorandom bits required by certain methods in this document. - -2. References - - FIPS PUB 46-1 National Bureau of Standards. FIPS PUB 46-1: - Data Encryption Standard. January 1988. - - PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate - Syntax. Version 1.5, November 1993. - - PKCS #7 RSA Laboratories. PKCS #7: Cryptographic Message - Syntax. Version 1.5, November 1993. - - PKCS #8 RSA Laboratories. PKCS #8: Private-Key Information - Syntax. Version 1.2, November 1993. - - RFC 1319 Kaliski, B., "The MD2 Message-Digest - Algorithm," RFC 1319, April 1992. - - RFC 1320 Rivest, R., "The MD4 Message-Digest - Algorithm," RFC 1320, April 1992. - - RFC 1321 Rivest, R., "The MD5 Message-Digest - Algorithm," RFC 1321, April 1992. - - RFC 1423 Balenson, D., "Privacy Enhancement for - Internet Electronic Mail: Part III: Algorithms, - Modes, and Identifiers," RFC 1423, February 1993. - - - - -Kaliski Informational [Page 2] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - X.208 CCITT. Recommendation X.208: Specification of - Abstract Syntax Notation One (ASN.1). 1988. - - X.209 CCITT. Recommendation X.209: Specification of - Basic Encoding Rules for Abstract Syntax Notation - One (ASN.1). 1988. - - X.411 CCITT. Recommendation X.411: Message Handling - Systems: Message Transfer System: Abstract Service - Definition and Procedures.1988. - - X.509 CCITT. Recommendation X.509: The Directory-- - Authentication Framework. 1988. - - [dBB92] B. den Boer and A. Bosselaers. An attack on the - last two rounds of MD4. In J. Feigenbaum, editor, - Advances in Cryptology---CRYPTO '91 Proceedings, - volume 576 of Lecture Notes in Computer Science, - pages 194-203. Springer-Verlag, New York, 1992. - - [dBB93] B. den Boer and A. Bosselaers. Collisions for the - compression function of MD5. Presented at - EUROCRYPT '93 (Lofthus, Norway, May 24-27, 1993). - - [DO86] Y. Desmedt and A.M. Odlyzko. A chosen text attack - on the RSA cryptosystem and some discrete - logarithm schemes. In H.C. Williams, editor, - Advances in Cryptology---CRYPTO '85 Proceedings, - volume 218 of Lecture Notes in Computer Science, - pages 516-521. Springer-Verlag, New York, 1986. - - [Has88] Johan Hastad. Solving simultaneous modular - equations. SIAM Journal on Computing, - 17(2):336-341, April 1988. - - [IM90] Colin I'Anson and Chris Mitchell. Security defects - in CCITT Recommendation X.509--The directory - authentication framework. Computer Communications - Review, :30-34, April 1990. - - [Mer90] R.C. Merkle. Note on MD4. Unpublished manuscript, - 1990. - - [Mil76] G.L. Miller. Riemann's hypothesis and tests for - primality. Journal of Computer and Systems - Sciences, 13(3):300-307, 1976. - - - - - -Kaliski Informational [Page 3] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - [QC82] J.-J. Quisquater and C. Couvreur. Fast - decipherment algorithm for RSA public-key - cryptosystem. Electronics Letters, 18(21):905-907, - October 1982. - - [RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method - for obtaining digital signatures and public-key - cryptosystems. Communications of the ACM, - 21(2):120-126, February 1978. - -3. Definitions - - For the purposes of this document, the following definitions apply. - - AlgorithmIdentifier: A type that identifies an algorithm (by object - identifier) and associated parameters. This type is defined in X.509. - - ASN.1: Abstract Syntax Notation One, as defined in X.208. - - BER: Basic Encoding Rules, as defined in X.209. - - DES: Data Encryption Standard, as defined in FIPS PUB 46-1. - - MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as - defined in RFC 1319. - - MD4: RSA Data Security, Inc.'s MD4 message-digest algorithm, as - defined in RFC 1320. - - MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as - defined in RFC 1321. - - modulus: Integer constructed as the product of two primes. - - PEM: Internet Privacy-Enhanced Mail, as defined in RFC 1423 and - related documents. - - RSA: The RSA public-key cryptosystem, as defined in [RSA78]. - - private key: Modulus and private exponent. - - public key: Modulus and public exponent. - -4. Symbols and abbreviations - - Upper-case symbols (e.g., BT) denote octet strings and bit strings - (in the case of the signature S); lower-case symbols (e.g., c) denote - integers. - - - -Kaliski Informational [Page 4] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - ab hexadecimal octet value c exponent - BT block type d private exponent - D data e public exponent - EB encryption block k length of modulus in - octets - ED encrypted data n modulus - M message p, q prime factors of modulus - MD message digest x integer encryption block - MD' comparative message y integer encrypted data - digest - PS padding string mod n modulo n - S signature X || Y concatenation of X, Y - ||X|| length in octets of X -5. General overview - - The next six sections specify key generation, key syntax, the - encryption process, the decryption process, signature algorithms, and - object identifiers. - - Each entity shall generate a pair of keys: a public key and a private - key. The encryption process shall be performed with one of the keys - and the decryption process shall be performed with the other key. - Thus the encryption process can be either a public-key operation or a - private-key operation, and so can the decryption process. Both - processes transform an octet string to another octet string. The - processes are inverses of each other if one process uses an entity's - public key and the other process uses the same entity's private key. - - The encryption and decryption processes can implement either the - classic RSA transformations, or variations with padding. - -6. Key generation - - This section describes RSA key generation. - - Each entity shall select a positive integer e as its public exponent. - - Each entity shall privately and randomly select two distinct odd - primes p and q such that (p-1) and e have no common divisors, and - (q-1) and e have no common divisors. - - The public modulus n shall be the product of the private prime - factors p and q: - - n = pq . - - The private exponent shall be a positive integer d such that de-1 is - divisible by both p-1 and q-1. - - - -Kaliski Informational [Page 5] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - The length of the modulus n in octets is the integer k satisfying - - 2^(8(k-1)) <= n < 2^(8k) . - - The length k of the modulus must be at least 12 octets to accommodate - the block formats in this document (see Section 8). - - Notes. - - 1. The public exponent may be standardized in - specific applications. The values 3 and F4 (65537) may have - some practical advantages, as noted in X.509 Annex C. - - 2. Some additional conditions on the choice of primes - may well be taken into account in order to deter - factorization of the modulus. These security conditions - fall outside the scope of this document. The lower bound on - the length k is to accommodate the block formats, not for - security. - -7. Key syntax - - This section gives the syntax for RSA public and private keys. - -7.1 Public-key syntax - - An RSA public key shall have ASN.1 type RSAPublicKey: - - RSAPublicKey ::= SEQUENCE { - modulus INTEGER, -- n - publicExponent INTEGER -- e } - - (This type is specified in X.509 and is retained here for - compatibility.) - - The fields of type RSAPublicKey have the following meanings: - - o modulus is the modulus n. - - o publicExponent is the public exponent e. - - - - - - - - - - - -Kaliski Informational [Page 6] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - -7.2 Private-key syntax - - An RSA private key shall have ASN.1 type RSAPrivateKey: - - RSAPrivateKey ::= SEQUENCE { - version Version, - modulus INTEGER, -- n - publicExponent INTEGER, -- e - privateExponent INTEGER, -- d - prime1 INTEGER, -- p - prime2 INTEGER, -- q - exponent1 INTEGER, -- d mod (p-1) - exponent2 INTEGER, -- d mod (q-1) - coefficient INTEGER -- (inverse of q) mod p } - - Version ::= INTEGER - - The fields of type RSAPrivateKey have the following meanings: - - o version is the version number, for compatibility - with future revisions of this document. It shall - be 0 for this version of the document. - - o modulus is the modulus n. - - o publicExponent is the public exponent e. - - o privateExponent is the private exponent d. - - o prime1 is the prime factor p of n. - - o prime2 is the prime factor q of n. - - o exponent1 is d mod (p-1). - - o exponent2 is d mod (q-1). - - o coefficient is the Chinese Remainder Theorem - coefficient q-1 mod p. - - Notes. - - 1. An RSA private key logically consists of only the - modulus n and the private exponent d. The presence of the - values p, q, d mod (p-1), d mod (p-1), and q-1 mod p is - intended for efficiency, as Quisquater and Couvreur have - shown [QC82]. A private-key syntax that does not include - - - - -Kaliski Informational [Page 7] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - all the extra values can be converted readily to the syntax - defined here, provided the public key is known, according - to a result by Miller [Mil76]. - - 2. The presence of the public exponent e is intended - to make it straightforward to derive a public key from the - private key. - -8. Encryption process - - This section describes the RSA encryption process. - - The encryption process consists of four steps: encryption- block - formatting, octet-string-to-integer conversion, RSA computation, and - integer-to-octet-string conversion. The input to the encryption - process shall be an octet string D, the data; an integer n, the - modulus; and an integer c, the exponent. For a public-key operation, - the integer c shall be an entity's public exponent e; for a private- - key operation, it shall be an entity's private exponent d. The output - from the encryption process shall be an octet string ED, the - encrypted data. - - The length of the data D shall not be more than k-11 octets, which is - positive since the length k of the modulus is at least 12 octets. - This limitation guarantees that the length of the padding string PS - is at least eight octets, which is a security condition. - - Notes. - - 1. In typical applications of this document to - encrypt content-encryption keys and message digests, one - would have ||D|| <= 30. Thus the length of the RSA modulus - will need to be at least 328 bits (41 octets), which is - reasonable and consistent with security recommendations. - - 2. The encryption process does not provide an - explicit integrity check to facilitate error detection - should the encrypted data be corrupted in transmission. - However, the structure of the encryption block guarantees - that the probability that corruption is undetected is less - than 2-16, which is an upper bound on the probability that - a random encryption block looks like block type 02. - - 3. Application of private-key operations as defined - here to data other than an octet string containing a - message digest is not recommended and is subject to further - study. - - - - -Kaliski Informational [Page 8] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - 4. This document may be extended to handle data of - length more than k-11 octets. - -8.1 Encryption-block formatting - - A block type BT, a padding string PS, and the data D shall be - formatted into an octet string EB, the encryption block. - - EB = 00 || BT || PS || 00 || D . (1) - - The block type BT shall be a single octet indicating the structure of - the encryption block. For this version of the document it shall have - value 00, 01, or 02. For a private- key operation, the block type - shall be 00 or 01. For a public-key operation, it shall be 02. - - The padding string PS shall consist of k-3-||D|| octets. For block - type 00, the octets shall have value 00; for block type 01, they - shall have value FF; and for block type 02, they shall be - pseudorandomly generated and nonzero. This makes the length of the - encryption block EB equal to k. - - Notes. - - 1. The leading 00 octet ensures that the encryption - block, converted to an integer, is less than the modulus. - - 2. For block type 00, the data D must begin with a - nonzero octet or have known length so that the encryption - block can be parsed unambiguously. For block types 01 and - 02, the encryption block can be parsed unambiguously since - the padding string PS contains no octets with value 00 and - the padding string is separated from the data D by an octet - with value 00. - - 3. Block type 01 is recommended for private-key - operations. Block type 01 has the property that the - encryption block, converted to an integer, is guaranteed to - be large, which prevents certain attacks of the kind - proposed by Desmedt and Odlyzko [DO86]. - - 4. Block types 01 and 02 are compatible with PEM RSA - encryption of content-encryption keys and message digests - as described in RFC 1423. - - - - - - - - -Kaliski Informational [Page 9] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - 5. For block type 02, it is recommended that the - pseudorandom octets be generated independently for each - encryption process, especially if the same data is input to - more than one encryption process. Hastad's results [Has88] - motivate this recommendation. - - 6. For block type 02, the padding string is at least - eight octets long, which is a security condition for - public-key operations that prevents an attacker from - recoving data by trying all possible encryption blocks. For - simplicity, the minimum length is the same for block type - 01. - - 7. This document may be extended in the future to - include other block types. - -8.2 Octet-string-to-integer conversion - - The encryption block EB shall be converted to an integer x, the - integer encryption block. Let EB1, ..., EBk be the octets of EB from - first to last. Then the integer x shall satisfy - - k - x = SUM 2^(8(k-i)) EBi . (2) - i = 1 - - In other words, the first octet of EB has the most significance in - the integer and the last octet of EB has the least significance. - - Note. The integer encryption block x satisfies 0 <= x < n since EB1 - = 00 and 2^(8(k-1)) <= n. - -8.3 RSA computation - - The integer encryption block x shall be raised to the power c modulo - n to give an integer y, the integer encrypted data. - - y = x^c mod n, 0 <= y < n . - - This is the classic RSA computation. - -8.4 Integer-to-octet-string conversion - - The integer encrypted data y shall be converted to an octet string ED - of length k, the encrypted data. The encrypted data ED shall satisfy - - - - - - -Kaliski Informational [Page 10] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - k - y = SUM 2^(8(k-i)) EDi . (3) - i = 1 - - where ED1, ..., EDk are the octets of ED from first to last. - - In other words, the first octet of ED has the most significance in - the integer and the last octet of ED has the least significance. - -9. Decryption process - - This section describes the RSA decryption process. - - The decryption process consists of four steps: octet-string-to- - integer conversion, RSA computation, integer-to-octet-string - conversion, and encryption-block parsing. The input to the decryption - process shall be an octet string ED, the encrypted data; an integer - n, the modulus; and an integer c, the exponent. For a public-key - operation, the integer c shall be an entity's public exponent e; for - a private-key operation, it shall be an entity's private exponent d. - The output from the decryption process shall be an octet string D, - the data. - - It is an error if the length of the encrypted data ED is not k. - - For brevity, the decryption process is described in terms of the - encryption process. - -9.1 Octet-string-to-integer conversion - - The encrypted data ED shall be converted to an integer y, the integer - encrypted data, according to Equation (3). - - It is an error if the integer encrypted data y does not satisfy 0 <= - y < n. - -9.2 RSA computation - - The integer encrypted data y shall be raised to the power c modulo n - to give an integer x, the integer encryption block. - - x = y^c mod n, 0 <= x < n . - - This is the classic RSA computation. - - - - - - - -Kaliski Informational [Page 11] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - -9.3 Integer-to-octet-string conversion - - The integer encryption block x shall be converted to an octet string - EB of length k, the encryption block, according to Equation (2). - -9.4 Encryption-block parsing - - The encryption block EB shall be parsed into a block type BT, a - padding string PS, and the data D according to Equation (1). - - It is an error if any of the following conditions occurs: - - o The encryption block EB cannot be parsed - unambiguously (see notes to Section 8.1). - - o The padding string PS consists of fewer than eight - octets, or is inconsistent with the block type BT. - - o The decryption process is a public-key operation - and the block type BT is not 00 or 01, or the decryption - process is a private-key operation and the block type is - not 02. - -10. Signature algorithms - - This section defines three signature algorithms based on the RSA - encryption process described in Sections 8 and 9. The intended use of - the signature algorithms is in signing X.509/PEM certificates and - certificate-revocation lists, PKCS #6 extended certificates, and - other objects employing digital signatures such as X.401 message - tokens. The algorithms are not intended for use in constructing - digital signatures in PKCS #7. The first signature algorithm - (informally, "MD2 with RSA") combines the MD2 message-digest - algorithm with RSA, the second (informally, "MD4 with RSA") combines - the MD4 message-digest algorithm with RSA, and the third (informally, - "MD5 with RSA") combines the MD5 message-digest algorithm with RSA. - - This section describes the signature process and the verification - process for the two algorithms. The "selected" message-digest - algorithm shall be either MD2 or MD5, depending on the signature - algorithm. The signature process shall be performed with an entity's - private key and the verification process shall be performed with an - entity's public key. The signature process transforms an octet string - (the message) to a bit string (the signature); the verification - process determines whether a bit string (the signature) is the - signature of an octet string (the message). - - - - - -Kaliski Informational [Page 12] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - Note. The only difference between the signature algorithms defined - here and one of the the methods by which signatures (encrypted - message digests) are constructed in PKCS #7 is that signatures here - are represented here as bit strings, for consistency with the X.509 - SIGNED macro. In PKCS #7 encrypted message digests are octet strings. - -10.1 Signature process - - The signature process consists of four steps: message digesting, data - encoding, RSA encryption, and octet-string-to-bit-string conversion. - The input to the signature process shall be an octet string M, the - message; and a signer's private key. The output from the signature - process shall be a bit string S, the signature. - -10.1.1 Message digesting - - The message M shall be digested with the selected message- digest - algorithm to give an octet string MD, the message digest. - -10.1.2 Data encoding - - The message digest MD and a message-digest algorithm identifier shall - be combined into an ASN.1 value of type DigestInfo, described below, - which shall be BER-encoded to give an octet string D, the data. - - DigestInfo ::= SEQUENCE { - digestAlgorithm DigestAlgorithmIdentifier, - digest Digest } - - DigestAlgorithmIdentifier ::= AlgorithmIdentifier - - Digest ::= OCTET STRING - - The fields of type DigestInfo have the following meanings: - - o digestAlgorithm identifies the message-digest - algorithm (and any associated parameters). For - this application, it should identify the selected - message-digest algorithm, MD2, MD4 or MD5. For - reference, the relevant object identifiers are the - following: - - - - - - - - - - -Kaliski Informational [Page 13] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - md2 OBJECT IDENTIFIER ::= - - { iso(1) member-body(2) US(840) rsadsi(113549) - digestAlgorithm(2) 2 } md4 OBJECT IDENTIFIER ::= - { iso(1) member-body(2) US(840) rsadsi(113549) - digestAlgorithm(2) 4 } md5 OBJECT IDENTIFIER ::= - { iso(1) member-body(2) US(840) rsadsi(113549) - digestAlgorithm(2) 5 } - - For these object identifiers, the parameters field of the - digestAlgorithm value should be NULL. - - o digest is the result of the message-digesting - process, i.e., the message digest MD. - - Notes. - - 1. A message-digest algorithm identifier is included - in the DigestInfo value to limit the damage resulting from - the compromise of one message-digest algorithm. For - instance, suppose an adversary were able to find messages - with a given MD2 message digest. That adversary might try - to forge a signature on a message by finding an innocuous- - looking message with the same MD2 message digest, and - coercing a signer to sign the innocuous-looking message. - This attack would succeed only if the signer used MD2. If - the DigestInfo value contained only the message digest, - however, an adversary could attack signers that use any - message digest. - - 2. Although it may be claimed that the use of a - SEQUENCE type violates the literal statement in the X.509 - SIGNED and SIGNATURE macros that a signature is an - ENCRYPTED OCTET STRING (as opposed to ENCRYPTED SEQUENCE), - such a literal interpretation need not be required, as - I'Anson and Mitchell point out [IM90]. - - 3. No reason is known that MD4 would not be - for very high security digital signature schemes, but - because MD4 was designed to be exceptionally fast, it is - "at the edge" in terms of risking successful cryptanalytic - attack. A message-digest algorithm can be considered - "broken" if someone can find a collision: two messages with - the same digest. While collisions have been found in - variants of MD4 with only two digesting "rounds" - - - - - - -Kaliski Informational [Page 14] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - [Mer90][dBB92], none have been found in MD4 itself, which - has three rounds. After further critical review, it may be - appropriate to consider MD4 for very high security - applications. - - MD5, which has four rounds and is proportionally slower - than MD4, is recommended until the completion of MD4's - review. The reported "pseudocollisions" in MD5's internal - compression function [dBB93] do not appear to have any - practical impact on MD5's security. - - MD2, the slowest of the three, has the most conservative - design. No attacks on MD2 have been published. - -10.1.3 RSA encryption - - The data D shall be encrypted with the signer's RSA private key as - described in Section 7 to give an octet string ED, the encrypted - data. The block type shall be 01. (See Section 8.1.) - -10.1.4 Octet-string-to-bit-string conversion - - The encrypted data ED shall be converted into a bit string S, the - signature. Specifically, the most significant bit of the first octet - of the encrypted data shall become the first bit of the signature, - and so on through the least significant bit of the last octet of the - encrypted data, which shall become the last bit of the signature. - - Note. The length in bits of the signature S is a multiple of eight. - -10.2 Verification process - - The verification process for both signature algorithms consists of - four steps: bit-string-to-octet-string conversion, RSA decryption, - data decoding, and message digesting and comparison. The input to the - verification process shall be an octet string M, the message; a - signer's public key; and a bit string S, the signature. The output - from the verification process shall be an indication of success or - failure. - -10.2.1 Bit-string-to-octet-string conversion - - The signature S shall be converted into an octet string ED, the - encrypted data. Specifically, assuming that the length in bits of the - signature S is a multiple of eight, the first bit of the signature - shall become the most significant bit of the first octet of the - - - - - -Kaliski Informational [Page 15] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - encrypted data, and so on through the last bit of the signature, - which shall become the least significant bit of the last octet of the - encrypted data. - - It is an error if the length in bits of the signature S is not a - multiple of eight. - -10.2.2 RSA decryption - - The encrypted data ED shall be decrypted with the signer's RSA public - key as described in Section 8 to give an octet string D, the data. - - It is an error if the block type recovered in the decryption process - is not 01. (See Section 9.4.) - -10.2.3 Data decoding - - The data D shall be BER-decoded to give an ASN.1 value of type - DigestInfo, which shall be separated into a message digest MD and a - message-digest algorithm identifier. The message-digest algorithm - identifier shall determine the "selected" message-digest algorithm - for the next step. - - It is an error if the message-digest algorithm identifier does not - identify the MD2, MD4 or MD5 message-digest algorithm. - -10.2.4 Message digesting and comparison - - The message M shall be digested with the selected message-digest - algorithm to give an octet string MD', the comparative message - digest. The verification process shall succeed if the comparative - message digest MD' is the same as the message digest MD, and the - verification process shall fail otherwise. - -11. Object identifiers - - This document defines five object identifiers: pkcs-1, rsaEncryption, - md2WithRSAEncryption, md4WithRSAEncryption, and md5WithRSAEncryption. - - The object identifier pkcs-1 identifies this document. - - pkcs-1 OBJECT IDENTIFIER ::= - - { iso(1) member-body(2) US(840) rsadsi(113549) - pkcs(1) 1 } - - - - - - -Kaliski Informational [Page 16] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - The object identifier rsaEncryption identifies RSA public and private - keys as defined in Section 7 and the RSA encryption and decryption - processes defined in Sections 8 and 9. - - rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } - - The rsaEncryption object identifier is intended to be used in the - algorithm field of a value of type AlgorithmIdentifier. The - parameters field of that type, which has the algorithm-specific - syntax ANY DEFINED BY algorithm, would have ASN.1 type NULL for this - algorithm. - - The object identifiers md2WithRSAEncryption, md4WithRSAEncryption, - md5WithRSAEncryption, identify, respectively, the "MD2 with RSA," - "MD4 with RSA," and "MD5 with RSA" signature and verification - processes defined in Section 10. - - md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 } - md4WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 3 } - md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 } - - These object identifiers are intended to be used in the algorithm - field of a value of type AlgorithmIdentifier. The parameters field of - that type, which has the algorithm-specific syntax ANY DEFINED BY - algorithm, would have ASN.1 type NULL for these algorithms. - - Note. X.509's object identifier rsa also identifies RSA public keys - as defined in Section 7, but does not identify private keys, and - identifies different encryption and decryption processes. It is - expected that some applications will identify public keys by rsa. - Such public keys are compatible with this document; an rsaEncryption - process under an rsa public key is the same as the rsaEncryption - process under an rsaEncryption public key. - -Security Considerations - - Security issues are discussed throughout this memo. - -Revision history - - Versions 1.0-1.3 - - Versions 1.0-1.3 were distributed to participants in RSA Data - Security, Inc.'s Public-Key Cryptography Standards meetings in - February and March 1991. - - - - - - -Kaliski Informational [Page 17] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - - Version 1.4 - - Version 1.4 is part of the June 3, 1991 initial public release of - PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop - document SEC-SIG-91-18. - - Version 1.5 - - Version 1.5 incorporates several editorial changes, including updates - to the references and the addition of a revision history. The - following substantive changes were made: - - o Section 10: "MD4 with RSA" signature and - verification processes are added. - - o Section 11: md4WithRSAEncryption object identifier - is added. - - Supersedes June 3, 1991 version, which was also published as NIST/OSI - Implementors' Workshop document SEC-SIG-91-18. - -Acknowledgements - - This document is based on a contribution of RSA Laboratories, a - division of RSA Data Security, Inc. Any substantial use of the text - from this document must acknowledge RSA Data Security, Inc. RSA Data - Security, Inc. requests that all material mentioning or referencing - this document identify this as "RSA Data Security, Inc. PKCS #1". - -Author's Address - - Burt Kaliski - RSA Laboratories East - 20 Crosby Drive - Bedford, MA 01730 - - Phone: (617) 687-7000 - EMail: burt@rsa.com - - - - - - - - - - - - - -Kaliski Informational [Page 18] - -RFC 2313 PKCS #1: RSA Encryption March 1998 - - -Full Copyright Statement - - Copyright (C) The Internet Society (1998). All Rights Reserved. - - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. - - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assigns. - - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - - - - - - - - - - - - - - - - - - - - - - - - -Kaliski Informational [Page 19] - |