PKCS #1: RSA encrypted version 1.5

Organized by: China Interactive publishing network (http://www.china-pub.com/) RFC documentation Chinese translation program (http://www.china-pub.com/compters/emook/aboutemook.htm) E-mail: ouyang@china-pub.com Translator: Xu Zijun (happygogo happygogo@sina.com) Translated by: Copyright: the copyright of this Chinese translation document belongs to the China Interactive publishing network. This document can be freely reproduced for non-commercial purposes, but the translation and copyright information of this document must be kept. Network Working Group B. kaliskirequest for comments: 2313 RSA Laboratories eastcategory: informational March 1998 PKCS #1: RSA encrypted version 1.5 Status of this memorandum this Memorandum provides information for the Internet community. It does not describe any Internet standard. The publication of this memorandum is unrestricted. Copyright Disclaimer Copyright (c) the Internet Society (1998). All rights reserved. This article describes how to encrypt data using the RSA public key and password system. Directory 1, range 22, reference 23, Definition 44, logo and abbreviation 55, Overview 56, key generation 57, key syntax 67.1 Public Key syntax 67.2 Private Key syntax 68, encryption process 78.1 Encryption block formatting 78.2 8-byte string to Integer Conversion 88.3 RSA calculation 88.4 integer to byte String Conversion 99 decryption process 99.1 byte string to Integer Conversion 99.2 RSA calculation 99.3 integer to byte String Conversion 99.4 encryption block resolution 1010, signature algorithm 1010.1 signature process 1010.2 verification process 1211, object identifier 13 security considerations 14 Revision 14 Record 14 thanks 14 author address 14 Copyright Disclaimer 151, range this article describes how to Use the RSA public key cryptography system to encrypt data. This will be used as a digital signature and a digital envelope, which is described in PKCS #7 :? Digital signature: the signature content is first reduced to a message hash by the message hash algorithm (such as MD5), and then encrypted with the RSA private key of the signatory to contain the message hash string. The original text and the encrypted message hash form a digital signature that complies with the syntax in PKCS #7. This application is compatible with PEM .? Digital envelope: first, use the content encryption key of the envelop to encrypt the content using a content encryption algorithm (such as des), and then use the RSA public key of the recipient to encrypt the content encryption key. The encrypted content and the Encrypted Key form a digital envelope that complies with the syntax in PKCS #7. This application is compatible with PEM. This document also describes the syntax for an RSA public key and private key. The Public Key syntax is used for certificates. The private key syntax is used for private key information in PKCS #8. The Public Key syntax is identical in X.509 and PEM. In this way, the X.509/pem rsa key can be used in this article. This document also defines three signature algorithms used to sign X.509/PEM certificates and CRL, PKCS #6 extended certificates, and other objects that use digital signatures (for example, x.401 message tag ). The details about message hashes and content encryption algorithms do not fall within the scope of this document, and the sources of false random bits required by this document are not included in this document. 2. See FIPS pub 46-1 National Bureau of Standards. FIPS pub 46-1: Data Encryption Standard. january 1988. PKCS #6 RSA Laboratories. PKCS #6: Extended-certificate syntax. version 1.5, November 1993. PKCS #7 RSA Laboratories. PKCS #7: cryptographic message syntax. version 1.5, November 1993. PKCS #8 RSA Laboratories. PKCS #8: private-key information syntax. version 1.2, November 1993. RFC 1319 kaliski, B ., "The md2 message-Digest algorithm," RFC 1319, limit l 1992. RFC 1320 Rivest, R ., "The md4 message-Digest algorithm," RFC 1320, limit l 1992. RFC 1321 Rivest, R ., "the MD5 message-Digest algorithm," RFC 1321, limit l 1992. RFC 1423 balenson, D ., "Privacy Enhancement for Internet electronic mail: Part III: algorithms, modes, and identifiers," RFC 1423, February 1993. x.208 CCITT. recommendation x.208: Specification of Abstract Syntax Notation One (ASN.1 ). 1988. x.209 CCITT. recommendation x.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1 ). 1988. x.411 CCITT. recommendation x.411: Message Handling Systems: Message Transfer System: Abstract Service Definition and procedures.1988. X.509 CCITT. recommendation X.509: the directory -- authentication framework. 1988. [Dbb92] B. den Boer and. bosselers. an attack on the last two rounds of md4. in J. feigenbaum, editor, advances in cryptology --- crypto '91 proceedings, Volume 576 of lecture notes in computer science, pages 194-203. springer-Verlag, New York, 1992. [dbb93] B. den Boer and. bosselers. collisions for the compression function of MD5. presented at eurocrypt '93 (lofthus, Norway, May 24-27,199 3 ). [do86] Y. desmedt and a.m. odlyzko. A chosen text attack on the RSA Cryptosystem and some discrete logarithm schemes. in h.c. williams, editor, advances in cryptology --- crypto '85 proceedings, Volume 218 of lecture notes in computer science, pages 516-521. springer-Verlag, New York, 1986. [has88] Johan hastad. solving simultaneous modular equations. siam Journal on computing, 17 (2): 336-341, AP RIL 1988. [im90] Colin I 'anson and Chris Mitchell. security defects in CCITT Recommendation X.509 -- the directory authentication framework. computer Communications Review,: 30-34, 0000l 1990. [mer90] r.c. merkle. note on md4. unpublished manuscript, 1990. [mil76] G. l. miller. riemann's hypothesis and tests for primality. journal of computer and systems sciences, 13 (3): 300-307,197 6. [qc82] J.-J. qu Isquater and C. couvreur. fast decipherment Algorithm for RSA Public-key cryptosystem. electronics letters, 18 (21): 905-907, October 1982. [rsa78] r. l. rivest,. shamir, and L. adleman. A method for obtaining digital signatures and public-key cryptosystems. communications of the ACM, 21 (2): 120-126, February 1978.3. definitions used for the purpose of this document. Algorithm identifier: defines the type of an algorithm and related parameters through the object identifier, which is defined in X.509. ASN.1: Abstract Syntax mark 1, defined in x.208. Ber: Basic Encoding Rules, defined in x.209. Des: Data Encryption Standard, defined in FIPS pub 46-1. Md2: The md2 message hashing algorithm of RSA Data Security, inc., which is defined in RFC 1319. Md4: The md4 message hashing algorithm of RSA Data Security, inc., which is defined in RFC 1320. MD5: MD5 message hash algorithm of RSA Data Security, inc., which is defined in RFC 1321. Modulus (modulus): an integer formed by two prime numbers. PEM: Private encrypted Internet mail, which is defined in RFC 1423 and related documents. RSA: The RSA public key cryptography system, which is defined in [rsa78. Private Key: module and private index. Public Key: module and public index. 4. uppercase and abbreviation signs (for example, BT) indicate strings and bits (for signature S), and lowercase signs (for example, c) Indicate integers. AB hexadecimal 8-bit group value c Index BT block type D private index D data e public index EB eight-bit group length of block K modulus to be encrypted ed encrypted data N Modulus m message P, Q module prime number composition MD message hash x integer messages to be encrypted block md' compared message hash y integer encrypted data PS fill string mod n Mode n s signature X | Y x, y-level connection | x | X-byte length 5. The following six chapters detail key generation, key syntax, encryption process, and decryption process, the signature algorithm and object identifier. Each entity must generate a pair of keys: public key and private key. The encryption process requires one key, and the decryption process requires another key. Therefore, the decryption process is the same as that of a public key or a private key. Both processes convert an 8-bit string to another 8-Bit String. These two processes are opposite each other. If one process uses the public key of an entity, the other process uses the private key of the same entity. Encryption and decryption can either achieve a typical RSA conversion or implement a fill transformation. 6. Key Generation This chapter describes RSA key generation. Each entity must select a positive integer e as its public index. Each entity requires a private random selection of two different odd prime numbers p and q, so that E and P-1) * (q-1) are mutually Prime. The public modulus n is the product of a private prime number p and q: N = p * q. The private exponent is a positive integer d so that the D * E-1 can be divisible by P-1) * (q-1. The length of N is k, and K is 2 ^ (8 (k-1) <= n <2 ^ (8 K ). The module length k must be at least 12 bytes to adapt to the block format in this document (see Chapter 8th ). Note: (1) Public modules can be standardized in special applications. In appendix C of X.509, it is mentioned that using 3 or 65537 may have some practical advantages. (2) In order to make the factorization of modulus n more difficult, some additional conditions for selecting prime numbers can be considered. These security assurance conditions are beyond the scope of this document. The minimum length of K is to adapt to the block format, not to ensure security. 7. Key syntax This chapter provides the RSA public key and private key syntax 7.1 Public Key syntax an RSA public key must have ASN.1 rsapublickey type: rsapublickey ::= sequence {modulus integer, -- N publicexponent integer -- e} (this type is defined in X.509 and is retained here for compatibility .) Rsapublickey fields have the following meanings: modulus is the modulus n, and publicexponent is the public index E. 7.2 Private Key syntax an RSA private key has an ASN.1 rsw.vatekey type: rsw.vatekey :::= sequence {version, modulus integer, -- N publicexponent integer, -- e privateexponent integer, -- d prime1 integer, -- p prime2 integer, -- q exponent1 integer, -- d Mod (p-1) exponent2 integer, -- d Mod (q-1) coefficient integer -- (inverse of Q) mod p} version: = Fields of the integerrsw.vatekey type have the following meanings :? Version is a version that is compatible with future changes to this document. To adapt to the version of this document, it should be 0 ;? Modulus is modulus n ;? Publicexponent is the public index E ;? Privateexponent is a private index D ;? Prime1 is a prime number p that forms the modulus n ;? Prime2 is a prime number of modulo n. Q ;? Exponent1 is d Mod (p-1 );? Exponent2 is d Mod (q-1 );? Coefficient is the coefficient q-1 mod P in China residual theory. Note: (1) an RSA private key logically contains only a modulus n and a private index D. The appearance of p, q, d Mod (P-1), d Mod (PM) and q-1 mod P is to improve efficiency, as quisquater and Couvreur are shown in [qc82. If the public key is known, according to Miller [mil76] results, a private key syntax that does not contain other values is easily converted into the syntax defined here. (2) The emergence of Public index e is to easily obtain the public key from the private key. 8. encryption process This chapter describes the encryption process of RSA. The encryption process consists of four steps: encryption block formatting, 8-bit string to Integer Conversion, RSA calculation, integer to 8-Bit String Conversion. The input value of the encryption process is an 8-bit data string, with a modulus of N and an exponential of C. For public key operations, integer c is the public index e of the entity; for private key operations, integer c is the private index D of the entity. The output of the encryption process is the encrypted data, an 8-Bit String ed. The length of data D should not be longer than the K-11's 8-bit bytes, it must be a positive number, because the length of the modulus K is at least 12 8-bit bytes. This restriction ensures that the length of the Padding string PS is at least 8 bytes, which is a security measure. Note: (1) In this document's typical application of encryption key and message hash, | D |||<= 30. In this way, the length of the RSA modulus must be at least 328 bits (41 8 bits), which is reasonable and consistent with the security recommendations. (2) If the encrypted data is damaged during transmission, the encryption process does not provide an external integrity check to assist in error detection. However, the structure of the encrypted block ensures that the possibility of damage not detected is less than 2-16, which is the upper limit of the possibility of a random encrypted block looking like type 2. (3) It is not recommended to use the private key operation for data that contains an 8-bit byte string in addition to a message hash. More research is required. (4) This document can be extended to control length longer than the K-11 of an 8-bit byte string 8.1 encrypted block formatting the encrypted block is an 8-bit byte string EB, marked by blocks BT, fill block PS and data D. EB = 00 | BT | PS | 00 | D (1) block mark bt is a mark byte, indicating the structure of the encrypted block. For this document version, it has a value of or 02. The private key operation is 00, or 01; the public key operation is 02. Fill string PS is K-3-| d | long 8-byte string. For the 00 type, the fill string is 00; for the 01 type, the fill string is ff; for the 02 type, the fill string is a non-0 value generated by the false hash. This makes the size of the encrypted block eb k. Note: (1) the starting 00 value bytes ensure that the encrypted block converted to an integer is smaller than the modulus. (2) For the 00 type, data d must start with a non-0 byte, or must know the length, so that the encrypted block can be clearly parsed. For the 01 and 02 types, the encrypted block can be clearly parsed because the filled block PS does not contain the 00 value bytes, which can be separated by a 00 value byte from the data D. (3) type 01 is recommended as the private key operation flag. Type 01 has the high performance of encrypting blocks into integers, which can prevent some attacks recommended by desmedt and odlyzko [do86. (4) 01 and 02 are compatible with the content encryption key and message hash encryption of pem rsa described in rfc1423. (5) For the 02 type, it is recommended that the hash bytes be generated independently for each encryption process, especially if the same data is input more than one encryption process. The result of hastad [has88] promotes this suggestion. (6) For the 02 type, the filling string must be at least 8 bytes long. This is a security measure for Public Key operations. To prevent attackers from testing all possible encrypted blocks to restore data. Similarly, the minimum length of the 01 type is the same. (7) This document can be expanded to include other types in the future. The 8.2 8-byte string to Integer Conversion encryption block EB needs to be converted into an integer x, that is, an integer encryption block. Let eb1,... and ebk form an EB byte string from start to end. Then the integer x must satisfy the following conditions: k x = sum 2 ^ (8 (k-I) Ebi (2) I = 1, the first byte of EB is the most significant in integers, And the last byte is the least important. Note: Because eb1 = 00 and 2 ^ (8 (k-1) <= N, the integer encrypted block x meets 0 <= x <n. 8.3 RSA needs to calculate integer encrypted block X by the power of C, modulo n, and finally be assigned to integer y, that is, the integer is encrypted data. Y = x ^ C mod N, 0 <= Y <n is a typical RSA computing. The converted integer from 8.4 to byte string is encrypted data. y needs to be converted into an 8-byte string of K, that is, encrypted data. Encrypted data should meet the following requirements: k y = sum 2 ^ (8 (k-I) EDI (3) I = 1 here ED1 ,..., EDK is composed of byte strings of Ed. In other words, the first byte of ED is the most important in the integer, And the last byte of ED is the least important. 9. decryption process This chapter describes the RSA decryption process. The decryption process consists of four steps: byte string to Integer Conversion, RSA calculation, integer to byte String Conversion, and encryption block resolution. The input in the decryption process is an eight-byte string of Ed, that is, encrypted data; modulus n; exponent c. For a public key operation, integer c is the public index e of an entity; for a private key operation, integer c is the private index D of an entity. The output of the decryption process is an 8-byte string D, that is, the original data. If the length of the encrypted data Ed is not K, it is an error. In short, the decryption process is described based on the encryption process. 9.1 bytes string to Integer Conversion encrypted data ed according to equation (3) is converted to integer encrypted data y. If the integer encrypted data does not meet 0 <= Y <n, it is an error. 9.2 When RSA calculates the integer encrypted data, y needs to be obtained by the power of C, modulo n, and finally be assigned to integer x, that is, the integer needs to be encrypted. X = y ^ C mod N, 0 <= x <n is a typical RSA computing. To convert an integer from 9.3 to a byte string, encrypt the block X into an 8-byte EB string of K according to equation (2), that is, encrypt the block. 9.4 encryption block resolution requires that the encrypted block EB be parsed into a data block consisting of block mark BT, fill block PS and data d according to equation (1. If any of the following conditions occurs, it is an error :? Encryption blocks cannot be clearly parsed (see note in section 8.1 ).? The Padding string is less than 8 bytes in PS or does not match the block mark Bt .? The decryption process is a public key operation process. The block mark cannot be 00 or 01; or the decryption process is a private key operation process, and the block mark cannot be 02. 10. Signature algorithms this chapter defines three signature algorithms based on the RSA encryption process described in Chapter 8th and chapter 9. The signature algorithm is mainly used to sign X.509/PEM certificates, CRL, PKCS #6 extended certificates, and other objects that use digital signatures, such as x.401 message ring. The algorithm is not specifically used to construct a digital signature for PKCS #7. The first signature algorithm combines the md2 hash algorithm with RSA (md2 with RSA); the second signature algorithm combines the md4 hash algorithm with RSA (md4 with RSA ); the Third signature algorithm combines the MD5 hash algorithm with RSA (MD5 with RSA ). This section describes the signature and verification processes of the two algorithms. The selected hash algorithm depends on the signature algorithm, md2 or MD5. The signature process uses the private key of an entity, while the verification process uses the public key of an entity. The signing process converts an eight-byte string (Message) into a one-bit string (signature). The verification process checks whether a single-byte string (Signature) is an eight-bit byte string (Message). Note: The only difference between the signature algorithm defined here and the method for building a signature in PKCS #7 (encrypting message hashes) is that the signature here is represented by a bit string, this is consistent with the X.509 signed macro. In PKCS #7, the encrypted message hash is an 8-bit byte string. 10.1 The signing process consists of four steps: message hash, data encoding, RSA encryption, and 8-byte String Conversion. The input of the signature process is an 8-byte string M, that is, the message. The private key of the signatory. The output is a single-digit string, namely, signature. 10.1.1 message hash use the selected message hash algorithm to Hash Message M. an eight-byte string MD is obtained, that is, message hash. 10.1.2 the data encoding message hash MD and the message hash algorithm identifier constitute the value of the ASN.1 type digestinfo described below. This type is generated into an 8-byte string d by means of BER encoding, that is, raw data. Digestinfo ::= sequence {digestalgorithm digest, digest} digestalgorithmidentifier ::= algorithmidentifierdigest ::= octet string type digestinfo domain has the following meanings :? Digestalgorithm indicates the algorithm used for hash (and related parameters ). For an application, it identifies the selected hash algorithm, md2, md4, or MD5. For reference, the following is the related object identifier: md2 object identifier ::={ ISO (1) member-body (2) US (840) rsadsi (113549) digestalgorithm (2) 2} md4 object identifier: = {ISO (1) member-body (2) US (840) rsadsi (113549) digestalgorithm (2) 4} MD5 object identifier :: = {ISO (1) member-body (2) US (840) rsadsi (113549) digestalgorithm (2) 5} for these object identifiers, the parameter field of the hash algorithm is null .? Digest is the result of the message hash process, for example, message hash Md. Note: 1. The digestinfo value contains a message hash algorithm identifier, which is used to limit the damage caused by data compression using the message hash algorithm. For example, if an attacker can find a message with a given md2 message hash, he can find a message with the same md2 hash, and forced the signatory to sign the seemingly harmless message to forge the message signature. This attack method succeeds only when the md2 hashing algorithm is used. If the digestinfo value only includes message hash, attackers can attack the signer using any message hash. 2. although the sequence type is used against the written statement of an encrypted octet string in the X.509 signed and signature macros, as stated by I 'anson and Mitchell in [im90, such written clarification is not required. 3. There is no reason to say that md4 is not a secure digital signature scheme, but because md4 is designed very quickly, it is at risk of being attacked successfully. If someone finds a conflict between two messages with the same hash, this hash algorithm can be considered broken ). When a conflict is found in the md4 variant with only two hash loops [mer90] [dbb92], there is no conflict in the md4 with three hash loops. After further research, we can think that md4 has high security. MD5 has four hash loops, which are slower than md4. Before md4 was studied, it was recommended. The false conflicts in the MD5 compression function [dbb93] have no actual security impact. Md2 is the slowest of The Three. It has the most conservative design, and no attacks against md2. 10.1.3 RSA encryption: As described in Chapter 7th, the RSA private key of D is encrypted to generate an eight-byte string Ed, that is, the encrypted data. The block is marked as 01 (see section 8.1 ). 10.1.4 encryption data for converting an 8-Bit String into a put string Ed is converted into a single string s, that is, signature. Specifically, the first byte of the encrypted data becomes the first data bit of the signature, and so on until the last byte of the encrypted data, it will become the last data bit of the signature. Note: The bit length of the signature S is a multiple of 8. 10.2 The verification process consists of four steps: Bit-to-byte String Conversion, RSA decryption, data decoding, message hashing, and comparison. The input in the verification process is the byte string M, namely the message, the public key of the signatory, and the bit string s, that is, the signature. The output is the mark number indicating the verification is successful or failed. 10.2.1 The conversion signature s from a byte string to a byte string is converted to a byte string Ed, that is, encrypted data. Specifically, if the bit length of S is a multiple of 8, the first byte of S will become the first byte of the byte string, and so on, until the last bit of the signature is the last byte of the byte string. If the length of the signature bit is not a multiple of 8, it is an error. 10.2.2 RSA decryption, as described in section 8th, uses the signatory's public key to decrypt the encrypted data Ed and obtains the byte string D, that is, the original data. If the block tag bit restored during decryption is not 01, it is incorrect (see section 9.4 ). 10.2.3 The original data D will be decoded as the ASN.1 value of digestinfo type by Ber. This value is divided into message hash MD and message hash algorithm identifier. The message hashing algorithm identifier determines the message hashing algorithm selected in the next step. If the message hashing algorithm identifier is not md2, md4, or MD5, it is an error. 10.2.4 message hashes and comparisons use the selected message hashes algorithm to hashes message m to obtain the byte string md', which is to be compared. If the mds' and MD are the same, the verification is successful. Otherwise, the verification fails. 11. Object Identifiers This document defines five object identifiers: pkcs-1, rsaencryption, md2withrsaencryption, md4withrsaencryption, and md5withrsaencryption. The object identifier pkcs-1 is equivalent to this document. Pkcs-1 object identifier: = {ISO (1) member-body (2) US (840) rsadsi (113549) PKCS (1) 1} the object identifier rsaencryption is equivalent to the RSA Public/Private Key defined in section 7th and the RSA encryption/decryption process defined in Chapter 8th and 9. Rsaencryption object identifier: = {pkcs-1 1} rsaencryption object identifier is used as a value for the algorithm domain of the algorithmidentifier type. The parameters field of this type has the algorithm-specific syntax any defined by algorithm. In the rsaencryption algorithm, its value is null. The object identifiers md2withrsaencryption, md4withrsaencryption, and md5withrsaencryption indicate the md2 with RSA, md4 with RSA, and MD5 with RSA signature and verification processes defined in section 10th. Md2withrsaencryption object identifier ::={ pkcs-1 2} md4withrsaencryption object identifier ::={ pkcs-1 3} md5withrsaencryption object identifier :: = {pkcs-1 4} These object identifiers are used for a value in the algorithm field of the algorithmidentifier type. The parameters field of this type has the algorithm-specific syntax any defined by algorithm, and its value is null among the three algorithms. Note: The object identifier RSA of X.509 also indicates the RSA public key defined in section 7th, but not the private key and different encryption/Decryption processes. Some applications expect to authenticate the RSA public key. These public keys are compatible with this document. The rsaencryption process using the RSA public key is equivalent to the rsaencryption process using the rsaencryption public key. Security considerations are discussed in this memorandum. Revision History version 1.0-1.3 this version was distributed to participants at RSA Data Security, Inc. Public-key cryptography standards meetings on July 15, 1991 and. Version 1.4 is part of the first public release of PKcs in 1991.6.3 and is issued as a workgroup document SEC-SIG-91-18 for NIST/OSI implementors. Version 1.5 includes several changes, including reference updates and revision records. Which of the following are the major changes :? Section 10th: added the md4 with RSA signature and verification process .? Section 11th: added the md4withrsaencryption object identifier. Instead of 1991.6.3, it is also used as a workgroup document SEC-SIG-91-18 for NIST/OSI implementors. Thank you for writing this document based on RSA Laboratories, a department of RSA Data Security, Inc. Thanks to RSA Data Security, Inc. For any substantial use of this document .. RSA Data Security, Inc. requires that all documents described and referenced in this document be represented as RSA Data Security, Inc. PKCS #1. Author address Burt kaliski RSA Laboratories East 20 Crosby drive Bedford, Ma 01730 phone: (617) 687-7000 Email: burt@rsa.com copyright statement copyright (c) the Internet Society (1998 ). all rights reserved. this document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are supported ded on all such copies and derivative works. however, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, cannot T as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet standards process must be followed, or as required to translate it into versions ages other than English. the limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. this document and the information contained herein is provided on an "as is" basis and the Internet Society and the Internet Engineering Task Force disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties of merchantability or fitness for a particle PURPOSE.RFC2313--PKCS #1: RSA encryptionversion 1.5 PKCS #1: RSA encrypted version 1.5