Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000.

Published byHugh Newman Modified over 8 years ago

Similar presentations

Presentation on theme: "PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000."— Presentation transcript:

1 PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000

2 History of PKCS #1 June 1991: PKCS #1 v1.4 –initial RSA encryption, signature schemes Nov. 1993: PKCS #1 v1.5 –minor editorial revisions –wide deployment, in parallel with increased understanding of security of RSA-based techniques July 1998: PKCS #1 v2.0 –adds RSA-OAEP encryption scheme (M. Bellare and P. Rogaway, Eurocrypt ’94) Sept. 1999: PKCS #1 v2.1 draft 1 –adds RSA-PSS signature scheme (M. Bellare and P. Rogaway, Eurocrypt ’96)

3 History of PKCS #1 (cont’d) July 2000: PKCS #1 v2.0 Amd. 1 –adds “multi-prime” RSA soon: PKCS #1 v2.1 draft 2 –updates RSA-PSS to align with related standards (for a preview, see IEEE P1363a D5)

4 What is PSS? PSS stands for Probabilistic Signature Scheme Published in 1996 by M. Bellare and P. Rogaway “Encoding method” for signatures with appendix in the integer factorization (IF) family, including RSA signatures Provable security in the random oracle model PSS-R variant provides message recovery

5 General Model for Signature Schemes Following IEEE P1363 classification Primitives are mathematical operations on integers, field elements Schemes are sets of operations on messages Schemes are built up from primitives, “encoding methods” mapping between messages, integers –Note: in PKCS #1 v2.1 encoding methods map to strings, which are then converted to integers; this detail omitted here for simplicity

6 IF Family Cryptography based on the difficulty of the integer factorization (IF) problem Modulus n = pq Public exponent e, private exponent d RSA: e odd Rabin-Williams: e even; conditions on p, q

7 Notation Mmessage (string) mmessage representative (integer) ssignature (integer) SPSignature Primitive (m  s) VPVerification Primitive (s  m)

8 Encoding Methods Mappings between message M, integer message representative m –Encode: M  m –Check: M, m consistent? –Decode: m  M Security goals: one-way, collision-resistant, no mathematical structure

9 IF Signature and Verification Primitives RSA case: –SP: s = m d mod n –VP: m = s e mod n Rabin-Williams case: –SP: s = |t d mod n| where t = m or m/2 such that (t/n) = +1 –VP: m = t, 2t, n-t or 2(n-t) where t = s e mod n, m has redundancy

10 IF Signature Scheme with Appendix Signature operation: –m = Encode(M) –s = SP(m) Verification operation: –m = VP(s) –Check(M, m)

11 IF Signature Scheme with Message Recovery Signature operation: –m = Encode(M) –s = SP(m) Recovery operation: –m = VP(s) –M = Decode(m) (Size of M is limited)

12 Draft Specification of PSS RSASSA-PSS in PKCS #1 v2.1 d2 –“RSA signature scheme with appendix based on PSS” Follows general model, with new encoding operation Aligned with IEEE P1363a D5

13 PSS Encoding Method Message representative is roughly same length as modulus Based on underlying hash function, mask generation function

14 PSS Encoding Operation (Some Details Omitted) m = PSS-Encode (M) 1. Generate random salt 2. Hash message and salt, with some padding: H = Hash (00 … 00 || Hash (M) || salt) 3. Add padding to salt to form data block: DB = 00 … 01 || salt 4. Mask data block: maskedDB = DB xor MGF(H) 5. Format message representative: m = maskedDB || H || bc 16

15 PSS Checking Operation (Some Details Omitted) PSS-Check (M, m) 1. Parse message representative: maskedDB || H || bc 16 = m 2. Unmask data block: DB = maskedDB xor MGF(H) 3. Remove padding from data block to recover salt: 00 … 01 || salt = DB 4. Rehash message and salt and compare: H =? Hash (00 … 00 || Hash (M) || salt)

16 Block Diagram of PSS Encoding Operation 00 … 01salt DB  MGF(H) H Hash M 00 … 00Hash(M)salt MGF bc xor

17 Block Diagram of Encoding Operation for PKCS #1 v1.5 00 01 ff ff … ff 00H M Hash HashID

18 Observations Message is hashed with random salt –improves security proof, resistance to fault analysis attacks Salt value is included in data block –shortens signature overhead –for message recovery, part of message can be included Data block is masked –randomizes input to primitive –removes multiplicative structure

19 Observations (cont’d) Message representative ends with bc 16 –per ISO/IEC 9796-2 format, to support RW primitive –but note that hash function identifier, header bits are not taken from that format security proof would be “looser” hash function ID turns out to be only partially helpful in variant with message recovery (a long story …)

20 Two-Level Hashing In PKCS #1 v2.1 d1 as well as the original PSS, message and salt were concatenated then hashed Here, message hash is concatenated with salt Motivation: –typical protocols hash message first, so integration of new method is easier –“single-pass” processing is easier, since salt is not needed until after message is hashed Security proof is the same, under usual assumptions about hash function –proof holds even if attacker controls hash value

21 What’s Provable? Suppose an algorithm A can forge PSS signatures without access to the details of Hash, MGF –Hash, MGF are effectively “random oracles” that can only be queried Then an algorithm B can invert RSA in about the same time using algorithm A as a subroutine  If RSA is hard to invert, then PSS is secure against generic attacks

22 Proof Method Inverting algorithm B “builds” Hash, MGF that appear random to forgery algorithm A, but embed an instance to be inverted When A succeeds at forgery, B succeeds at inverting RSA Random salt is key to “tight” proof; if not random, “looser” proof holds

23 What about the Random Oracle Model? Some concerns have been raised about the relevance of proofs in the random oracle model: –some on theoretical grounds –others on practicality of “instantiating” a random oracle with a real hash or mask generation function But although the proof may “overestimate” the properties of Hash and MGF, it underestimates properties of RSA –e.g., bit security properties are not considered Thus, in practice, PSS may well provide high security even without the random oracle model

24 ASN.1 Syntax for RSASSA-PSS Generic OID: –id-RSASSA-PSS ::= pkcs-1.10 Parameters: –RSASSA-PSS-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier {{oaepDigestAlgorithms}} DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}} DEFAULT mgf1SHA1Identifier } (For S/MIME, perhaps a separate OID for the steps after the message is hashed)

25 Patent Issues University of California has applied for a patent (U.S. only) on PSS and PSS-R In a letter to IEEE P1363, UC has offered to waive licensing on PSS for signatures with appendix if adopted as an IEEE standard –agreed for ANSI X9F1, ISO/IEC, NESSIE as well Reasonable and non-discriminatory licensing for signatures with message recovery

26 Recommended Deployment A gradual transition to PSS is recommended in the interest of prudent security –rollover, along with AES, new hash functions, … PKCS #1 v1.5 signature scheme is still appropriate for new applications Different than situation with PKCS #1 v1.5 encryption scheme, where only OAEP is recommended for new applications

27 Related Standards Work IEEE P1363a will include PSS, PSS-R –also PKCS #1 v1.5 signatures ANSI X9.31 expected to be revised to include PSS ISO/IEC 9796-2 working draft includes PSS-R NESSIE submission prepared by RSA Laboratories Significant coordination already; meetings of relevant groups over next two months

28 Questions from Last Year’s Workshop PSS-R ANSI X9.31 encoding method Composite hash functions New mask generation functions Rabin-Williams support

29 PSS-R Should PKCS #1 v2.1 include the PSS-R encoding method for signatures with message recovery? ISO/IEC 9796-2 is being updated to include PSS-R PSS-R to be included in IEEE P1363a Current answer: No

30 ANSI X9.31 Encoding Method Should PKCS #1 v2.1 include the ANSI X9.31 encoding method? ANSI X9.31 is a banking standard FIPS 186-2 supports it Current answer: No

31 Composite Hash Functions Should PKCS #1 v2.1 specify “composite” hash functions? –raised by Tom Gindin, IBM Example: –SHA-1-MD5(M) = SHA-1(M) || MD5(M) A simple method to increase security in a modular fashion Could be combined with PKCS #1 v1.5 encoding method, or PSS Current answer: Maybe

32 New Mask Generation Functions Should PKCS #1 v2.1 define new mask generation functions? Example: –MGF2(Z) = HMAC(Z,0) || HMAC(Z,1) || … Current method lacks HMAC’s security proof: –MGF1(Z) = Hash(0 || Z) || Hash(1 || Z) || … Current answer: No

33 Rabin-Williams Support Should PKCS #1 v2.1 include the RW primitives for even exponents? Would be consistent with ANSI X9.31, X9.44 draft, IEEE P1363 PKCS #1 v1.5, PSS versions require slightly different primitives than currently specified –cf. relevant submissions to IEEE P1363a Current answer: No

34 Conclusions New version of PKCS #1 in development Standards strategy for RSA signatures emerging –PSS a prudent choice for long-term security, harmonization of standards For future work? –PKCS #1 usage guidelines –key generation and validation specifications

35 For More Information PKCS #1 drafts: www.rsalabs.com/pkcs/www.rsalabs.com/pkcs/ IEEE P1363a drafts: grouper.ieee.org/groups/1363/ grouper.ieee.org/groups/1363/ bkaliski@rsasecurity.com

Download ppt "PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000."

Similar presentations

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)
Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.

Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.
Cryptography and Network Security

Cryptography and Network Security
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

Similar presentations

Ads by Google