RSASSA-PSSCombine the rsasp1 and rsavp1 primitives with the EMSA-PSS encoding method.
1. Signature generation operation:
Enter the RSA private key of the K-signer.
M: the message to be signed. It is an eight-Bit String.
Output: s signature, which is an eight-bit string with a length of K. Here K is the length of the RSA Digital-to-N measured in eight-bit groups.
Steps:
1. EMSA-PSS Coding:Em=EMSA-PSS-ENCODE(M, modbits-1 ).
Modbits is the bit length of the RSA digital-to-analog n.
2. RSA Signature:
A. Convert the encoded message em into an integer message:M=Os2ip(EM ).
B. generate an integer signature:S=Rsasp1(K, M ).
C. Convert the signature representing s to a signature with a length of K eight-bit groups:S=I2osp(S, K ).
3.The output signature represents S.
2. Signature Verification operation:
Input: (n, e) the RSA public key of the signatory
M signature message to be verified, which is an eight-Bit String
S: The signature to be verified. It is an eight-bit string with a length of K. K is the eight-bit group length of the RSA digital model N.
Output: "valid signature" or "invalid signature"
Steps:
1. Check the length: If the length of the signature S is not k eight-bit groups, the "invalid signature" is output and the operation is aborted.
2. RSA Verification:
A. Convert the signature s to an integer signature:S=Os2ip(S ).
B. generate an integer message:M=Rsavp1(N, e), S ).
C. Convert the message representation m to an encoded message with the length of emlen = (modbits-1)/8 octal groups:Em=I2osp(M, emlen ).
Where modbits is the bit length of the RSA digital-to-analog n.
3. EMSA-PSS Verification: Result =EMSA-PSS-VERIFY(M, em, modbits-1 ).
4.If result = "consistent", a "valid signature" is output ". Otherwise, "invalid signature" is output ".
3. Algorithms involved above
A,I2osp(Integer-to-octet-String Primitive) converts a non-negative integer to a specified byte string.
B,Os2ip(Octet-string-to-integer primitive), converts an eight-Bit String into a non-negative integer.
C,Rsasp1(RSA signature primitives), signature primitive. S = rsasp1 (K, M) = m ^ d mod n.
D,Rsavp1(RSA verification primitives), the verification primitive. M = rsavp1 (n, e), S) = s ^ e mod n.
E,EMSA-PSS-ENCODEAndEMSA-PSS-VERIFY, (PSS: probabilistic Signature Scheme), The RSASSA-PSS has four options that are used for this algorithm. For details, see pkcs_#1_v2.20.rsa_algorithm standard document p33.
F, i2osp and os2ip are data conversion primitives, rsasp1 and rsavp1 are signature and verification primitives, and EMSA-PSS is the encoding method with the attached signature.
G,Mgf1sha1Is a mask generation function based on the hash function sha1. It mainly performs i2osp and hash operations cyclically.
4. RSA-pss-Default
It is the RSASSA-PSS Algorithm for the four option values to take the default value.
Rsassa-pss-Params: = SEQUENCE {
Hashalgorithm [0] hashalgorithm default sha1,
Maskgenalgorithm [1] maskgenalgorithm default mgf1sha1,
Saltlength [2] integer default 20,
Trailerfield [3] trailerfield default trailerfieldbc
}
5. Reference
All the parts in this article are summarized as follows: Export pkcs_#1_v2.20.rsa_algorithm standard example, which is translated by the PKI Forum and can be searched online;
For more information, see rfc4055.txt.20.》and 《pkcs-1v2-1.pdf.
RSASSA-PSS support in OpenSSL, refer to: http://www.pubbs.net/201006/openssl/40713-questions-about-rsassa-pss.html on the sixth floor of Steve's speech.