Presentation is loading. Please wait.

Presentation is loading. Please wait.

RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.

Published byGilbert Stewart Modified over 8 years ago

Similar presentations

Presentation on theme: "RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998."— Presentation transcript:

1 RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998

2 © RSA 1998 Outline Update on status of v2.0 Overview of v2.0 content Technical highlights of v2.0 Possibilities for 2.x !

3 © RSA 1998 Status of v2.0 v2.0 was posted for 30-day review on 7/14/98 v2.0 was submitted as an Internet-Draft to the IETF on 8/6/98 a few comments were received…and the final document was posted on 9/4

4 © RSA 1998 Overview of v2.0 Encryption schemes: –OAEP-based encryption (Bellare- Rogaway) –v1.5 encryption, for backward compatibility v1.5 signature scheme with appendix ASN.1 syntax –new OIDs for the OAEP-based scheme

5 RSA Data Security, Inc. Technical Highlights Style RSAES-OAEP Auxiliary functions ASN.1

6 © RSA 1998 Style and terminology of v2.0 is similar to IEEE P1363: Primitives –encryption and decryption –signature and verification –data conversion Encryption and signature schemes Encoding methods –for encryption and signatures w/ appendix Auxiliary functions

7 © RSA 1998 Primitives Basic mathematical operations Primitives are used in schemes e.g. RSAEP( (n, e), m): 1. If m is not between 0 and n-1, output “message representative out of range” and stop. 2. Let c = m e mod n. 3. Output c.

8 © RSA 1998 Schemes Combine primitives and other techniques (e.g. encoding methods) to achieve a particular security goal.

9 © RSA 1998 RSAES-OAEP (Section 7.1) Within the random oracle model: Provably secure –can tie security to the RSA function Plaintext-aware –“can’t” generate valid ciphertext w/o the plaintext –chosen-ciphertext attacks are ineffective

10 © RSA 1998 RSAES-OAEP Encrypt (public key, M, P): –EM = EME-OAEP-Encode (M, P) –C = RSAEP (public key, EM) Decrypt (private key, C, P): –EM = RSADP (private key, C) –M = EME-OAEP-Decode (EM, P) M, C bounded, P arbitrary length

11 © RSA 1998 EME-OAEP-Encode(M, P, emLen) (Section 9.1.1.1) Options : Hash output length hLen MGF mask generation function Input : M length at most emLen-1-2hLen P encoding parameters emLen length of output Output: encoded message, EM (length emLen) or, “message too long”, or “parameter string too long” RSAES-OAEP-Encrypt calls this with emLen = k -1

12 © RSA 1998 EME-OAEP-Encode

13 © RSA 1998 Auxiliary Functions (Section 10) Hash functions –deterministic functions, variable length input, fixed length output –collision resistance important to deter forgery of v1.5 signatures –SHA-1 is recommended for EME-OAEP –MD2, MD5 and SHA-1 are recommended for all other encoding methods

14 © RSA 1998 Mask generation functions –deterministic functions –take variable length input and output string of any predetermined length –v2.0 defines an MGF based on a hash function, MGF1 –SHA-1 is the recommended hash function for MGF1

15 © RSA 1998 MGF1(Z, l) Z is a seed, l is the length of the mask (the output) Let T be the empty string For counter from 0 to  l / hLen  -1, do the following: a.Convert counter to an octet string C of length 4 with the primitive I2OSP: C = I2OSP (counter, 4) b.Concatenate the hash of the seed Z and C to the octet string T: T = T || Hash (Z || C) Output the leading l octets of T as the octet string mask.

16 © RSA 1998 ASN.1 for RSA-OAEP (Section 11.2.1) The syntax allows for increased functionality-- other hash functions, other types of MGFs, etc. OID for the RSAES-OAEP encryption scheme: id-RSAES-OAEP OBJECT IDENTIFIER ::= {pkcs-1 7} The parameters field associated with this OID in an AlgorithmIdentifier shall have type RSAEP-OAEP-params :

17 © RSA 1998 RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier{{oaepDigestAlgorith ms}} DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier{{pkcs1MGFAlgorithms }} DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier {{pkcs1pSourceAlgorithms}} DEFAULT pSpecifiedEmptyIdentifier }

18 © RSA 1998 In v2.0, P is an octet string that’s specified explicitly, although the syntax is more flexible: pkcs1pSourceAlgorithms ALGORITHM- IDENTIFIER ::= {{OCTET STRING IDENTIFIED BY id-pSpecified}} (encoding parameters are specified explicitly) id-pSpecified OBJECT IDENTIFIER ::= {pkcs-1 9} The parameters field for id-pSpecified shall have type OCTET STRING, containing the encoding parameters. pSpecifiedEmptyIdentifier ::=AlgorithmIdentifier {id-pSpecified, OCTET STRING SIZE (0) }

19 © RSA 1998 If defaults for all the fields in RSAES- OAEP-params are used then the AlgID has the value: RSAES-OAEP-Default-Identifier ::= AlgorithmIdentifier { id-RSAES-OAEP, {sha1Identifier, mgf1SHA1Identifier, pSpecifiedEmptyIdentifier } }

20 © RSA 1998 Possibilities for v2.x Signature schemes –provable security (PSS) –message recovery (PSS-R, ISO/IEC 9796) –other options (X9.31…) Key generation methods Key validation methods

21 © RSA 1998 ISO/IEC 9796 An international standard for signatures with message recovery Process involves padding, extending and adding redundancy to messages Not provably secure

22 © RSA 1998 X9.31 rDSA A hash based encoding method: M  EM = header || padding || H(M) || trailer  f -1 (EM) (f -1 denotes the signature operation)

23 © RSA 1998 Key generation methods Prime generation methods from ANSI draft X9.79: Prime Number Generation and Validation Methods? Sieving procedures? Primality tests (probabilistic/deterministic)?

24 © RSA 1998 Key validation methods Still an area of research… Some possibilities... –methods for showing n is product of two primes –method of Liskov and Silverman for showing that the two factors of n are nearly equal

Download ppt "RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998."

Similar presentations

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)
Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999.

Revised 08/16/1999 IEEE P1363: Standard Specifications for Public-Key Cryptography Burt Kaliski Chair, IEEE P1363 August 17, 1999.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.

Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
IEEE P1363: Standard Specifications for Public-Key Cryptography

IEEE P1363: Standard Specifications for Public-Key Cryptography
1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Similar presentations

Ads by Google