Network Working Group B. Kaliski Request for Comments: 2437 J. Staddon Obsoletes: 2313 RSA Laboratories Category: Informational October 1998
Network Working Group B. Kaliski Request for Comments: 2437 J. Staddon Obsoletes: 2313 RSA Laboratories Category: Informational October 1998
PKCS #1: RSA Cryptography Specifications Version 2.0
PKCS#1:RSA加密规范2.0版
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
Table of Contents
目录
1. Introduction.....................................2 1.1 Overview.........................................3 2. Notation.........................................3 3. Key types........................................5 3.1 RSA public key...................................5 3.2 RSA private key..................................5 4. Data conversion primitives.......................6 4.1 I2OSP............................................6 4.2 OS2IP............................................7 5. Cryptographic primitives.........................8 5.1 Encryption and decryption primitives.............8 5.1.1 RSAEP............................................8 5.1.2 RSADP............................................9 5.2 Signature and verification primitives...........10 5.2.1 RSASP1..........................................10 5.2.2 RSAVP1..........................................11 6. Overview of schemes.............................11 7. Encryption schemes..............................12 7.1 RSAES-OAEP......................................13 7.1.1 Encryption operation............................13 7.1.2 Decryption operation............................14 7.2 RSAES-PKCS1-v1_5................................15 7.2.1 Encryption operation............................17 7.2.2 Decryption operation............................17 8. Signature schemes with appendix.................18 8.1 RSASSA-PKCS1-v1_5...............................19 8.1.1 Signature generation operation..................20
1. Introduction.....................................2 1.1 Overview.........................................3 2. Notation.........................................3 3. Key types........................................5 3.1 RSA public key...................................5 3.2 RSA private key..................................5 4. Data conversion primitives.......................6 4.1 I2OSP............................................6 4.2 OS2IP............................................7 5. Cryptographic primitives.........................8 5.1 Encryption and decryption primitives.............8 5.1.1 RSAEP............................................8 5.1.2 RSADP............................................9 5.2 Signature and verification primitives...........10 5.2.1 RSASP1..........................................10 5.2.2 RSAVP1..........................................11 6. Overview of schemes.............................11 7. Encryption schemes..............................12 7.1 RSAES-OAEP......................................13 7.1.1 Encryption operation............................13 7.1.2 Decryption operation............................14 7.2 RSAES-PKCS1-v1_5................................15 7.2.1 Encryption operation............................17 7.2.2 Decryption operation............................17 8. Signature schemes with appendix.................18 8.1 RSASSA-PKCS1-v1_5...............................19 8.1.1 Signature generation operation..................20
8.1.2 Signature verification operation................21 9. Encoding methods................................22 9.1 Encoding methods for encryption.................22 9.1.1 EME-OAEP........................................22 9.1.2 EME-PKCS1-v1_5..................................24 9.2 Encoding methods for signatures with appendix...26 9.2.1 EMSA-PKCS1-v1_5.................................26 10. Auxiliary Functions.............................27 10.1 Hash Functions..................................27 10.2 Mask Generation Functions.......................28 10.2.1 MGF1............................................28 11. ASN.1 syntax....................................29 11.1 Key representation..............................29 11.1.1 Public-key syntax...............................30 11.1.2 Private-key syntax..............................30 11.2 Scheme identification...........................31 11.2.1 Syntax for RSAES-OAEP...........................31 11.2.2 Syntax for RSAES-PKCS1-v1_5.....................32 11.2.3 Syntax for RSASSA-PKCS1-v1_5....................33 12 Patent Statement................................33 12.1 Patent statement for the RSA algorithm..........34 13. Revision history................................35 14. References......................................35 Security Considerations.........................37 Acknowledgements................................37 Authors' Addresses..............................38 Full Copyright Statement........................39
8.1.2 Signature verification operation................21 9. Encoding methods................................22 9.1 Encoding methods for encryption.................22 9.1.1 EME-OAEP........................................22 9.1.2 EME-PKCS1-v1_5..................................24 9.2 Encoding methods for signatures with appendix...26 9.2.1 EMSA-PKCS1-v1_5.................................26 10. Auxiliary Functions.............................27 10.1 Hash Functions..................................27 10.2 Mask Generation Functions.......................28 10.2.1 MGF1............................................28 11. ASN.1 syntax....................................29 11.1 Key representation..............................29 11.1.1 Public-key syntax...............................30 11.1.2 Private-key syntax..............................30 11.2 Scheme identification...........................31 11.2.1 Syntax for RSAES-OAEP...........................31 11.2.2 Syntax for RSAES-PKCS1-v1_5.....................32 11.2.3 Syntax for RSASSA-PKCS1-v1_5....................33 12 Patent Statement................................33 12.1 Patent statement for the RSA algorithm..........34 13. Revision history................................35 14. References......................................35 Security Considerations.........................37 Acknowledgements................................37 Authors' Addresses..............................38 Full Copyright Statement........................39
This memo is the successor to RFC 2313. This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm [18], covering the following aspects:
本备忘录是RFC 2313的后续文件。本文档提供了基于RSA算法[18]的公钥加密实现建议,涵盖以下方面:
-cryptographic primitives -encryption schemes -signature schemes with appendix -ASN.1 syntax for representing keys and for identifying the schemes
-加密原语.加密方案.带附录的签名方案.ASN.1表示密钥和识别方案的语法
The recommendations are intended for general application within computer and communications systems, and as such include a fair amount of flexibility. It is expected that application standards based on these specifications may include additional constraints. The recommendations are intended to be compatible with draft standards currently being developed by the ANSI X9F1 [1] and IEEE P1363 working groups [14]. This document supersedes PKCS #1 version 1.5 [20].
这些建议适用于计算机和通信系统中的一般应用,因此具有相当大的灵活性。预计基于这些规范的应用标准可能包括附加约束。这些建议旨在与ANSI X9F1[1]和IEEE P1363工作组[14]目前正在制定的标准草案兼容。本文件取代PKCS第1版1.5[20]。
Editor's note. It is expected that subsequent versions of PKCS #1 may cover other aspects of the RSA algorithm such as key size, key generation, key validation, and signature schemes with message recovery.
编者按。预计PKCS#1的后续版本可能涵盖RSA算法的其他方面,如密钥大小、密钥生成、密钥验证和具有消息恢复的签名方案。
The organization of this document is as follows:
本文件的组织结构如下:
-Section 1 is an introduction. -Section 2 defines some notation used in this document. -Section 3 defines the RSA public and private key types. -Sections 4 and 5 define several primitives, or basic mathematical operations. Data conversion primitives are in Section 4, and cryptographic primitives (encryption-decryption, signature-verification) are in Section 5. -Section 6, 7 and 8 deal with the encryption and signature schemes in this document. Section 6 gives an overview. Section 7 defines an OAEP-based [2] encryption scheme along with the method found in PKCS #1 v1.5. Section 8 defines a signature scheme with appendix; the method is identical to that of PKCS #1 v1.5. -Section 9 defines the encoding methods for the encryption and signature schemes in Sections 7 and 8. -Section 10 defines the hash functions and the mask generation function used in this document. -Section 11 defines the ASN.1 syntax for the keys defined in Section 3 and the schemes gives in Sections 7 and 8. -Section 12 outlines the revision history of PKCS #1. -Section 13 contains references to other publications and standards.
-第一节是导言-第2节定义了本文件中使用的一些符号-第3节定义了RSA公钥和私钥类型-第4节和第5节定义了一些基本的数学运算。第4节介绍了数据转换原语,第5节介绍了加密原语(加密解密、签名验证)-第6、7和8节涉及本文件中的加密和签名方案。第6节给出了一个概述。第7节定义了基于OAEP的[2]加密方案以及PKCS#1 v1.5中的方法。第8节定义了一个带有附录的签名方案;该方法与PKCS#1 v1.5的方法相同-第9节定义了第7节和第8节中加密和签名方案的编码方法-第10节定义了本文档中使用的哈希函数和掩码生成函数-第11节定义了第3节中定义的键的ASN.1语法,第7节和第8节给出了方案-第12节概述了PKCS#1的修订历史-第13节包含对其他出版物和标准的引用。
(n, e) RSA public key
(n,e)RSA公钥
c ciphertext representative, an integer between 0 and n-1
c密文代表,介于0和n-1之间的整数
C ciphertext, an octet string
C密文,一个八位字符串
d private exponent
d私有指数
dP p's exponent, a positive integer such that: e(dP)\equiv 1 (mod(p-1))
dP的指数,一个正整数,例如:e(dP)\equiv 1(mod(p-1))
dQ q's exponent, a positive integer such that: e(dQ)\equiv 1 (mod(q-1))
dQ的指数,一个正整数,例如:e(dQ)\equiv 1(mod(q-1))
e public exponent
e公众指数
EM encoded message, an octet string
EM编码消息,八位字节字符串
emLen intended length in octets of an encoded message
emLen编码信息的预期长度(以八位字节为单位)
H hash value, an output of Hash
H哈希值,哈希值的输出
Hash hash function
散列函数
hLen output length in octets of hash function Hash
hLen输出长度(以哈希函数哈希的八位字节为单位)
K RSA private key
K RSA私钥
k length in octets of the modulus
k长度(以模数的八位字节为单位)
l intended length of octet string
l八位字节字符串的预期长度
lcm(.,.) least common multiple of two nonnegative integers
lcm(,.)两个非负整数的最小公倍数
m message representative, an integer between 0 and n-1
m消息代表,介于0和n-1之间的整数
M message, an octet string
M消息,八位字节字符串
MGF mask generation function
MGF掩模生成函数
n modulus
n模数
P encoding parameters, an octet string
P编码参数,八位字节字符串
p,q prime factors of the modulus
p、 模量的q素因子
qInv CRT coefficient, a positive integer less than p such: q(qInv)\equiv 1 (mod p)
qInv CRT系数,小于p的正整数,例如:q(qInv)\equiv 1(mod p)
s signature representative, an integer between 0 and n-1
s签名代表,一个介于0和n-1之间的整数
S signature, an octet string
S签名,八位字节字符串
x a nonnegative integer
x是一个非负整数
X an octet string corresponding to x
X对应于X的八位字节字符串
\xor bitwise exclusive-or of two octet strings
\两个八位字符串的异或按位异或
\lambda(n) lcm(p-1, q-1), where n = pq
\lambda(n) lcm(p-1, q-1), where n = pq
|| concatenation operator
||串联运算符
||.|| octet length operator
||.| |八位元长度运算符
Two key types are employed in the primitives and schemes defined in this document: RSA public key and RSA private key. Together, an RSA public key and an RSA private key form an RSA key pair.
本文档中定义的原语和方案中使用了两种密钥类型:RSA公钥和RSA私钥。RSA公钥和RSA私钥一起构成RSA密钥对。
For the purposes of this document, an RSA public key consists of two components:
在本文档中,RSA公钥由两部分组成:
n, the modulus, a nonnegative integer e, the public exponent, a nonnegative integer
n、 模,非负整数e,公共指数,非负整数
In a valid RSA public key, the modulus n is a product of two odd primes p and q, and the public exponent e is an integer between 3 and n-1 satisfying gcd (e, \lambda(n)) = 1, where \lambda(n) = lcm (p-1,q-1). A recommended syntax for interchanging RSA public keys between implementations is given in Section 11.1.1; an implementation's internal representation may differ.
在有效的RSA公钥中,模n是两个奇数素数p和q的乘积,而公共指数e是3和n-1之间的整数,满足gcd(e,\lambda(n))=1,其中\lambda(n)=lcm(p-1,q-1)。第11.1.1节给出了在实现之间交换RSA公钥的推荐语法;实现的内部表示可能不同。
For the purposes of this document, an RSA private key may have either of two representations.
在本文档中,RSA私钥可以有两种表示形式之一。
1. The first representation consists of the pair (n, d), where the components have the following meanings:
1. 第一种表示法由一对(n,d)组成,其中组件具有以下含义:
n, the modulus, a nonnegative integer d, the private exponent, a nonnegative integer
n、 模,非负整数d,私有指数,非负整数
2. The second representation consists of a quintuple (p, q, dP, dQ, qInv), where the components have the following meanings:
2. 第二种表示法由五元组(p、q、dP、dQ、qInv)组成,其中组件具有以下含义:
p, the first factor, a nonnegative integer q, the second factor, a nonnegative integer dP, the first factor's exponent, a nonnegative integer dQ, the second factor's exponent, a nonnegative integer qInv, the CRT coefficient, a nonnegative integer
p、 第一个因子,非负整数q,第二个因子,非负整数dP,第一个因子的指数,非负整数dQ,第二个因子的指数,非负整数qInv,CRT系数,非负整数
In a valid RSA private key with the first representation, the modulus n is the same as in the corresponding public key and is the product of two odd primes p and q, and the private exponent d is a positive
在第一种表示形式的有效RSA私钥中,模n与相应公钥中的模n相同,是两个奇数素数p和q的乘积,私钥指数d为正
integer less than n satisfying:
小于n的整数满足:
ed \equiv 1 (mod \lambda(n))
ed\equiv 1(mod\lambda(n))
where e is the corresponding public exponent and \lambda(n) is as defined above.
式中,e是对应的公共指数,λ(n)如上所述。
In a valid RSA private key with the second representation, the two factors p and q are the prime factors of the modulus n, the exponents dP and dQ are positive integers less than p and q respectively satisfying
在具有第二表示的有效RSA私钥中,两个因子p和q是模n的素因子,指数dP和dQ分别是小于p和q的正整数
e(dP)\equiv 1(mod(p-1)) e(dQ)\equiv 1(mod(q-1)),
e(dP)\equiv 1(mod(p-1))e(dQ)\equiv 1(mod(q-1)),
and the CRT coefficient qInv is a positive integer less than p satisfying:
CRT系数qInv是小于p的正整数,满足:
q(qInv)\equiv 1 (mod p).
q(qInv)\equiv1(mod p)。
A recommended syntax for interchanging RSA private keys between implementations, which includes components from both representations, is given in Section 11.1.2; an implementation's internal representation may differ.
第11.1.2节给出了在实现之间交换RSA私钥的推荐语法,其中包括来自两种表示的组件;实现的内部表示可能不同。
Two data conversion primitives are employed in the schemes defined in this document:
本文件中定义的方案采用了两种数据转换原语:
I2OSP: Integer-to-Octet-String primitive OS2IP: Octet-String-to-Integer primitive
I2OSP:整数到八位字符串原语OS2IP:八位字符串到整数原语
For the purposes of this document, and consistent with ASN.1 syntax, an octet string is an ordered sequence of octets (eight-bit bytes). The sequence is indexed from first (conventionally, leftmost) to last (rightmost). For purposes of conversion to and from integers, the first octet is considered the most significant in the following conversion primitives
为了本文档的目的,并且与ASN.1语法一致,八位字节字符串是八位字节的有序序列(八位字节)。序列从第一个(通常是最左边的)到最后一个(最右边的)进行索引。为了与整数进行转换,在下面的转换原语中,第一个八位组被认为是最重要的
I2OSP converts a nonnegative integer to an octet string of a specified length.
I2OSP将非负整数转换为指定长度的八位字节字符串。
I2OSP (x, l)
I2OSP(x,l)
Input: x nonnegative integer to be converted l intended length of the resulting octet string
输入:x个非负整数,转换为结果八位字节字符串的预期长度
Output: X corresponding octet string of length l; or "integer too large"
输出:X对应长度为l的八位字节字符串;或“整数太大”
Steps:
步骤:
1. If x>=256^l, output "integer too large" and stop.
1. 如果x>=256^l,则输出“整数太大”并停止。
2. Write the integer x in its unique l-digit representation base 256:
2. 将整数x写入其唯一的l位表示基256:
x = x_{l-1}256^{l-1} + x_{l-2}256^{l-2} +... + x_1 256 + x_0
x = x_{l-1}256^{l-1} + x_{l-2}256^{l-2} +... + x_1 256 + x_0
where 0 <= x_i < 256 (note that one or more leading digits will be zero if x < 256^{l-1}).
其中0<=x_i<256(注意,如果x<256^{l-1},则一个或多个前导数字将为零)。
3. Let the octet X_i have the value x_{l-i} for 1 <= i <= l. Output the octet string:
3. 让八位元X_i的值X_{l-i}为1<=i<=l。输出八位字节字符串:
X = X_1 X_2 ... X_l.
X=X_1 X_2。。。克苏尔。
OS2IP converts an octet string to a nonnegative integer.
OS2IP将八位字节字符串转换为非负整数。
OS2IP (X)
OS2IP(X)
Input: X octet string to be converted
输入:要转换的X个八位字节字符串
Output: x corresponding nonnegative integer
输出:x对应的非负整数
Steps:
步骤:
1. Let X_1 X_2 ... X_l be the octets of X from first to last, and let x{l-i} have value X_i for 1<= i <= l.
1. 让X_1 X_2。。。X_l是X从第一个到最后一个的八位字节,并且X{l-i}的值X_i为1<=i<=l。
2. Let x = x{l-1} 256^{l-1} + x_{l-2} 256^{l-2} +...+ x_1 256 + x_0.
2. 设x=x{l-1}256^{l-1}+x{l-2}256^{l-2}+…+x_1 256+x_0。
3. Output x.
3. 输出x。
Cryptographic primitives are basic mathematical operations on which cryptographic schemes can be built. They are intended for implementation in hardware or as software modules, and are not intended to provide security apart from a scheme.
密码原语是可以建立密码方案的基本数学运算。它们旨在以硬件或软件模块的形式实现,并且不打算提供方案之外的安全性。
Four types of primitive are specified in this document, organized in pairs: encryption and decryption; and signature and verification.
本文档中指定了四种类型的原语,它们成对组织:加密和解密;以及签名和验证。
The specifications of the primitives assume that certain conditions are met by the inputs, in particular that public and private keys are valid.
原语的规范假定输入满足某些条件,特别是公钥和私钥有效。
An encryption primitive produces a ciphertext representative from a message representative under the control of a public key, and a decryption primitive recovers the message representative from the ciphertext representative under the control of the corresponding private key.
加密原语在公钥的控制下从消息代表生成密文代表,解密原语在相应私钥的控制下从密文代表恢复消息代表。
One pair of encryption and decryption primitives is employed in the encryption schemes defined in this document and is specified here: RSAEP/RSADP. RSAEP and RSADP involve the same mathematical operation, with different keys as input.
本文档中定义的加密方案中使用了一对加密和解密原语,并在此处指定:RSAEP/RSADP。RSAEP和RSADP涉及相同的数学运算,输入的键不同。
The primitives defined here are the same as in the draft IEEE P1363 and are compatible with PKCS #1 v1.5.
此处定义的原语与IEEE P1363草案中的原语相同,并且与PKCS#1 v1.5兼容。
The main mathematical operation in each primitive is exponentiation.
每个基元的主要数学运算是指数运算。
RSAEP((n, e), m)
RSAEP((北,东,米)
Input: (n, e) RSA public key m message representative, an integer between 0 and n-1
输入:(n,e)RSA公钥m消息代表,一个介于0和n-1之间的整数
Output: c ciphertext representative, an integer between 0 and n-1; or "message representative out of range"
输出:c密文代表,0到n-1之间的整数;或“消息代表超出范围”
Assumptions: public key (n, e) is valid
假设:公钥(n,e)有效
Steps:
步骤:
1. If the message representative m is not between 0 and n-1, output message representative out of range and stop.
1. 如果消息代表m不在0和n-1之间,则输出消息代表超出范围并停止。
2. Let c = m^e mod n.
2. 设c=m^e模n。
3. Output c.
3. 输出c。
RSADP (K, c)
RSADP(K,c)
Input:
输入:
K RSA private key, where K has one of the following forms -a pair (n, d) -a quintuple (p, q, dP, dQ, qInv) c ciphertext representative, an integer between 0 and n-1
K RSA私钥,其中K具有以下形式之一-一对(n,d)-一个五元组(p,q,dP,dQ,qInv)c密文代表,一个介于0和n-1之间的整数
Output: m message representative, an integer between 0 and n-1; or "ciphertext representative out of range"
输出:m消息代表,0到n-1之间的整数;或“密文代表超出范围”
Assumptions: private key K is valid
假设:私钥K是有效的
Steps:
步骤:
1. If the ciphertext representative c is not between 0 and n-1, output "ciphertext representative out of range" and stop.
1. 如果密文代表c不在0和n-1之间,则输出“密文代表超出范围”并停止。
2. If the first form (n, d) of K is used:
2. 如果使用K的第一种形式(n,d):
2.1 Let m = c^d mod n. Else, if the second form (p, q, dP, dQ, qInv) of K is used:
2.1 设m=c^d模n。否则,如果使用K的第二种形式(p,q,dP,dQ,qInv):
2.2 Let m_1 = c^dP mod p.
2.2 设m_1=c^dP mod p。
2.3 Let m_2 = c^dQ mod q.
2.3 设m_2=c^dQ mod q。
2.4 Let h = qInv ( m_1 - m_2 ) mod p.
2.4 设h=qInv(m1-m2)mod p。
2.5 Let m = m_2 + hq.
2.5 设m=m2+hq。
3. Output m.
3. 输出m。
A signature primitive produces a signature representative from a message representative under the control of a private key, and a verification primitive recovers the message representative from the signature representative under the control of the corresponding public key. One pair of signature and verification primitives is employed in the signature schemes defined in this document and is specified here: RSASP1/RSAVP1.
签名原语在私钥的控制下从消息代表生成签名代表,验证原语在相应公钥的控制下从签名代表恢复消息代表。本文档中定义的签名方案中使用了一对签名和验证原语,并在此处指定:RSASP1/RSAVP1。
The primitives defined here are the same as in the draft IEEE P1363 and are compatible with PKCS #1 v1.5.
此处定义的原语与IEEE P1363草案中的原语相同,并且与PKCS#1 v1.5兼容。
The main mathematical operation in each primitive is exponentiation, as in the encryption and decryption primitives of Section 5.1. RSASP1 and RSAVP1 are the same as RSADP and RSAEP except for the names of their input and output arguments; they are distinguished as they are intended for different purposes.
每个原语的主要数学运算是指数运算,如第5.1节中的加密和解密原语。RSASP1和RSAVP1与RSADP和RSAEP相同,只是输入和输出参数的名称不同;它们因用途不同而不同。
RSASP1 (K, m)
RSASP1(K,m)
Input: K RSA private key, where K has one of the following forms: -a pair (n, d) -a quintuple (p, q, dP, dQ, qInv)
输入:K RSA私钥,其中K具有以下形式之一:-一对(n,d)-五元组(p,q,dP,dQ,qInv)
m message representative, an integer between 0 and n-1
m消息代表,介于0和n-1之间的整数
Output: s signature representative, an integer between 0 and n-1, or "message representative out of range"
输出:s签名代表,介于0和n-1之间的整数,或“消息代表超出范围”
Assumptions: private key K is valid
假设:私钥K是有效的
Steps:
步骤:
1. If the message representative m is not between 0 and n-1, output "message representative out of range" and stop.
1. 如果消息代表m不在0和n-1之间,则输出“消息代表超出范围”并停止。
2. If the first form (n, d) of K is used:
2. 如果使用K的第一种形式(n,d):
2.1 Let s = m^d mod n. Else, if the second form (p, q, dP, dQ, qInv) of K is used:
2.1 设s=m^d模n。否则,如果使用K的第二种形式(p,q,dP,dQ,qInv):
2.2 Let s_1 = m^dP mod p.
2.2 设s_1=m^dP mod p。
2.3 Let s_2 = m^dQ mod q.
2.3 设s_2=m^dQ mod q。
2.4 Let h = qInv ( s_1 - s_2 ) mod p.
2.4 设h=qInv(s_1-s_2)mod p。
2.5 Let s = s_2 + hq.
2.5 设s=s_2+hq。
3. Output S.
3. 输出S。
RSAVP1 ((n, e), s)
RSAVP1(北、东、南)
Input: (n, e) RSA public key s signature representative, an integer between 0 and n-1
输入:(n,e)RSA公钥的签名代表,一个介于0和n-1之间的整数
Output: m message representative, an integer between 0 and n-1; or "invalid"
输出:m消息代表,0到n-1之间的整数;或“无效”
Assumptions: public key (n, e) is valid
假设:公钥(n,e)有效
Steps:
步骤:
1. If the signature representative s is not between 0 and n-1, output "invalid" and stop.
1. 如果签名代表s不在0和n-1之间,则输出“无效”并停止。
2. Let m = s^e mod n.
2. 设m=s^e模n。
3. Output m.
3. 输出m。
A scheme combines cryptographic primitives and other techniques to achieve a particular security goal. Two types of scheme are specified in this document: encryption schemes and signature schemes with appendix.
一个方案结合了密码原语和其他技术来实现特定的安全目标。本文件规定了两类方案:加密方案和带附录的签名方案。
The schemes specified in this document are limited in scope in that their operations consist only of steps to process data with a key, and do not include steps for obtaining or validating the key. Thus, in addition to the scheme operations, an application will typically include key management operations by which parties may select public and private keys for a scheme operation. The specific additional operations and other details are outside the scope of this document.
本文档中指定的方案的范围有限,因为其操作仅包括使用密钥处理数据的步骤,不包括获取或验证密钥的步骤。因此,除了方案操作之外,应用通常将包括密钥管理操作,通过该操作,各方可以为方案操作选择公钥和私钥。具体的附加操作和其他细节不在本文件范围内。
As was the case for the cryptographic primitives (Section 5), the specifications of scheme operations assume that certain conditions are met by the inputs, in particular that public and private keys are valid. The behavior of an implementation is thus unspecified when a key is invalid. The impact of such unspecified behavior depends on the application. Possible means of addressing key validation include explicit key validation by the application; key validation within the public-key infrastructure; and assignment of liability for operations performed with an invalid key to the party who generated the key.
与加密原语的情况一样(第5节),方案操作规范假定输入满足某些条件,特别是公钥和私钥有效。因此,当密钥无效时,实现的行为是未指定的。此类未指定行为的影响取决于应用程序。解决密钥验证的可能方法包括应用程序的显式密钥验证;公钥基础设施内的密钥验证;以及将使用无效密钥执行的操作的责任分配给生成密钥的一方。
An encryption scheme consists of an encryption operation and a decryption operation, where the encryption operation produces a ciphertext from a message with a recipient's public key, and the decryption operation recovers the message from the ciphertext with the recipient's corresponding private key.
加密方案包括加密操作和解密操作,其中加密操作使用收件人的公钥从消息中生成密文,解密操作使用收件人的相应私钥从密文中恢复消息。
An encryption scheme can be employed in a variety of applications. A typical application is a key establishment protocol, where the message contains key material to be delivered confidentially from one party to another. For instance, PKCS #7 [21] employs such a protocol to deliver a content-encryption key from a sender to a recipient; the encryption schemes defined here would be suitable key-encryption algorithms in that context.
加密方案可用于各种应用。典型的应用是密钥建立协议,其中消息包含从一方秘密传递到另一方的密钥材料。例如,PKCS#7[21]使用这样的协议将内容加密密钥从发送方传递给接收方;这里定义的加密方案将是该上下文中合适的密钥加密算法。
Two encryption schemes are specified in this document: RSAES-OAEP and RSAES-PKCS1-v1_5. RSAES-OAEP is recommended for new applications; RSAES-PKCS1-v1_5 is included only for compatibility with existing applications, and is not recommended for new applications.
本文件规定了两种加密方案:RSAES-OAEP和RSAES-PKCS1-v1_5。建议新应用使用RSAES-OAEP;RSAES-PKCS1-v1_5仅用于与现有应用程序兼容,不建议用于新应用程序。
The encryption schemes given here follow a general model similar to that employed in IEEE P1363, by combining encryption and decryption primitives with an encoding method for encryption. The encryption operations apply a message encoding operation to a message to produce an encoded message, which is then converted to an integer message representative. An encryption primitive is applied to the message representative to produce the ciphertext. Reversing this, the decryption operations apply a decryption primitive to the ciphertext to recover a message representative, which is then converted to an octet string encoded message. A message decoding operation is applied to the encoded message to recover the message and verify the correctness of the decryption.
这里给出的加密方案遵循与IEEE P1363中采用的模型相似的通用模型,通过将加密和解密原语与加密的编码方法相结合。加密操作对消息应用消息编码操作以生成编码消息,然后将其转换为整数消息代表。加密原语应用于消息代表以生成密文。与此相反,解密操作将解密原语应用于密文以恢复消息代表,然后将其转换为八进制字符串编码的消息。对编码的消息应用消息解码操作,以恢复消息并验证解密的正确性。
RSAES-OAEP combines the RSAEP and RSADP primitives (Sections 5.1.1 and 5.1.2) with the EME-OAEP encoding method (Section 9.1.1) EME-OAEP is based on the method found in [2]. It is compatible with the IFES scheme defined in the draft P1363 where the encryption and decryption primitives are IFEP-RSA and IFDP-RSA and the message encoding method is EME-OAEP. RSAES-OAEP can operate on messages of length up to k-2- 2hLen octets, where hLen is the length of the hash function output for EME-OAEP and k is the length in octets of the recipient's RSA modulus. Assuming that the hash function in EME-OAEP has appropriate properties, and the key size is sufficiently large, RSAEP-OAEP provides "plaintext-aware encryption," meaning that it is computationally infeasible to obtain full or partial information about a message from a ciphertext, and computationally infeasible to generate a valid ciphertext without knowing the corresponding message. Therefore, a chosen-ciphertext attack is ineffective against a plaintext-aware encryption scheme such as RSAES-OAEP.
RSAES-OAEP将RSAEP和RSADP原语(第5.1.1节和第5.1.2节)与EME-OAEP编码方法(第9.1.1节)相结合。EME-OAEP基于[2]中的方法。它与P1363草案中定义的IFES方案兼容,其中加密和解密原语为IFEP-RSA和IFDP-RSA,消息编码方法为EME-OAEP。RSAES-OAEP可以对长度高达k-2-2hLen八位字节的消息进行操作,其中hLen是EME-OAEP的哈希函数输出长度,k是收件人RSA模数的八位字节长度。假设EME-OAEP中的哈希函数具有适当的属性,并且密钥大小足够大,RSAEP-OAEP提供“明文感知加密”,这意味着从密文中获取消息的全部或部分信息在计算上是不可行的,并且在计算上不可能在不知道相应消息的情况下生成有效的密文。因此,选择密文攻击对RSAES-OAEP等明文感知加密方案无效。
Both the encryption and the decryption operations of RSAES-OAEP take the value of the parameter string P as input. In this version of PKCS #1, P is an octet string that is specified explicitly. See Section 11.2.1 for the relevant ASN.1 syntax. We briefly note that to receive the full security benefit of RSAES-OAEP, it should not be used in a protocol involving RSAES-PKCS1-v1_5. It is possible that in a protocol on which both encryption schemes are present, an adaptive chosen ciphertext attack such as [4] would be useful.
RSAES-OAEP的加密和解密操作都以参数字符串P的值作为输入。在PKCS#1的这个版本中,P是一个显式指定的八位字节字符串。有关ASN.1语法,请参见第11.2.1节。我们简要地注意到,为了充分利用RSAES-OAEP的安全优势,不应在涉及RSAES-PKCS1-V15的协议中使用它。在两种加密方案都存在的协议中,像[4]这样的自适应选择密文攻击可能是有用的。
Both the encryption and the decryption operations of RSAES-OAEP take the value of the parameter string P as input. In this version of PKCS #1, P is an octet string that is specified explicitly. See Section 11.2.1 for the relevant ASN.1 syntax.
RSAES-OAEP的加密和解密操作都以参数字符串P的值作为输入。在PKCS#1的这个版本中,P是一个显式指定的八位字节字符串。有关ASN.1语法,请参见第11.2.1节。
RSAES-OAEP-ENCRYPT ((n, e), M, P)
RSAES-OAEP-ENCRYPT((n,e),M,P)
Input: (n, e) recipient's RSA public key
输入:(n,e)收件人的RSA公钥
M message to be encrypted, an octet string of length at most k-2-2hLen, where k is the length in octets of the modulus n and hLen is the length in octets of the hash function output for EME-OAEP
M要加密的消息,长度最多为k-2-2hLen的八位字节字符串,其中k是模n的八位字节长度,hLen是EME-OAEP哈希函数输出的八位字节长度
P encoding parameters, an octet string that may be empty
P编码参数,一个可能为空的八位字节字符串
Output: C ciphertext, an octet string of length k; or "message too long"
输出:C密文,长度为k的八位字符串;或者“信息太长”
Assumptions: public key (n, e) is valid
假设:公钥(n,e)有效
Steps:
步骤:
1. Apply the EME-OAEP encoding operation (Section 9.1.1.2) to the message M and the encoding parameters P to produce an encoded message EM of length k-1 octets:
1. 将EME-OAEP编码操作(第9.1.1.2节)应用于消息M和编码参数P,以生成长度为k-1八位字节的编码消息EM:
EM = EME-OAEP-ENCODE (M, P, k-1)
EM=EME-OAEP-ENCODE(M,P,k-1)
If the encoding operation outputs "message too long," then output "message too long" and stop.
如果编码操作输出“message too long”,则输出“message too long”并停止。
2. Convert the encoded message EM to an integer message representative m: m = OS2IP (EM)
2. 将编码的消息EM转换为代表m:m=OS2IP(EM)的整数消息
3. Apply the RSAEP encryption primitive (Section 5.1.1) to the public key (n, e) and the message representative m to produce an integer ciphertext representative c:
3. 将RSAEP加密原语(第5.1.1节)应用于公钥(n,e)和消息代表m,以生成整数密文代表c:
c = RSAEP ((n, e), m)
c=RSAEP((n,e),m)
4. Convert the ciphertext representative c to a ciphertext C of length k octets: C = I2OSP (c, k)
4. 将密文代表c转换为长度为k个八位字节的密文c:c=I2OSP(c,k)
5. Output the ciphertext C.
5. 输出密文C。
RSAES-OAEP-DECRYPT (K, C, P)
RSAES-OAEP-DECRYPT(K,C,P)
Input: K recipient's RSA private key C ciphertext to be decrypted, an octet string of length k, where k is the length in octets of the modulus n P encoding parameters, an octet string that may be empty
输入:K收件人的RSA私钥C待解密密文,长度为K的八位字节字符串,其中K是模数NP编码参数的八位字节长度,八位字节字符串可能为空
Output: M message, an octet string of length at most k-2-2hLen, where hLen is the length in octets of the hash function output for EME-OAEP; or "decryption error"
输出:M消息,长度不超过k-2-2hLen的八位字节字符串,其中hLen为EME-OAEP哈希函数输出的八位字节长度;或“解密错误”
Steps:
步骤:
1. If the length of the ciphertext C is not k octets, output "decryption error" and stop.
1. 如果密文C的长度不是k个八位字节,则输出“解密错误”并停止。
2. Convert the ciphertext C to an integer ciphertext representative c: c = OS2IP (C).
2. 将密文C转换为整数密文代表C:C=OS2IP(C)。
3. Apply the RSADP decryption primitive (Section 5.1.2) to the private key K and the ciphertext representative c to produce an integer message representative m:
3. 将RSADP解密原语(第5.1.2节)应用于私钥K和密文代表c,以生成代表m的整数消息:
m = RSADP (K, c)
m=RSADP(K,c)
If RSADP outputs "ciphertext out of range," then output "decryption error" and stop.
如果RSADP输出“密文超出范围”,则输出“解密错误”并停止。
4. Convert the message representative m to an encoded message EM of length k-1 octets: EM = I2OSP (m, k-1)
4. 将消息代表m转换为长度为k-1八位字节的编码消息EM:EM=I2OSP(m,k-1)
If I2OSP outputs "integer too large," then output "decryption error" and stop.
如果I2OSP输出“整数太大”,则输出“解密错误”并停止。
5. Apply the EME-OAEP decoding operation to the encoded message EM and the encoding parameters P to recover a message M:
5. 将EME-OAEP解码操作应用于编码消息EM和编码参数P以恢复消息M:
M = EME-OAEP-DECODE (EM, P)
M=EME-OAEP-DECODE(EM,P)
If the decoding operation outputs "decoding error," then output "decryption error" and stop.
如果解码操作输出“解码错误”,则输出“解密错误”并停止。
6. Output the message M.
6. 输出消息M。
Note. It is important that the error messages output in steps 4 and 5 be the same, otherwise an adversary may be able to extract useful information from the type of error message received. Error message information is used to mount a chosen-ciphertext attack on PKCS #1 v1.5 encrypted messages in [4].
笔记步骤4和步骤5中输出的错误消息必须相同,否则敌方可能能够从收到的错误消息类型中提取有用信息。错误消息信息用于对[4]中的PKCS#1 v1.5加密消息发起选定的密文攻击。
RSAES-PKCS1-v1_5 combines the RSAEP and RSADP primitives with the EME-PKCS1-v1_5 encoding method. It is the same as the encryption scheme in PKCS #1 v1.5. RSAES-PKCS1-v1_5 can operate on messages of length up to k-11 octets, although care should be taken to avoid certain attacks on low-exponent RSA due to Coppersmith, et al. when long messages are encrypted (see the third bullet in the notes below and [7]).
RSAES-PKCS1-v1_5将RSAEP和RSADP原语与EME-PKCS1-v1_5编码方法相结合。它与PKCS#1 v1.5中的加密方案相同。RSAES-PKCS1-v1_5可在长度不超过k-11八位字节的消息上运行,但在加密长消息时,应注意避免因Coppersmith等原因对低指数RSA进行某些攻击(见下面注释中的第三个项目符号和[7])。
RSAES-PKCS1-v1_5 does not provide "plaintext aware" encryption. In particular, it is possible to generate valid ciphertexts without knowing the corresponding plaintexts, with a reasonable probability of success. This ability can be exploited in a chosen ciphertext attack as shown in [4]. Therefore, if RSAES-PKCS1-v1_5 is to be used, certain easily implemented countermeasures should be taken to thwart the attack found in [4]. The addition of structure to the data to be encoded, rigorous checking of PKCS #1 v1.5 conformance and other redundancy in decrypted messages, and the consolidation of error messages in a client-server protocol based on PKCS #1 v1.5 can all be effective countermeasures and don't involve changes to a PKCS #1 v1.5-based protocol. These and other countermeasures are discussed in [5].
RSAES-PKCS1-v1_5不提供“明文感知”加密。特别是,可以在不知道相应的明文的情况下生成有效的密文,并且具有合理的成功概率。如[4]所示,这种能力可以在选定的密文攻击中被利用。因此,如果要使用RSAES-PKCS1-v1_5,则应采取某些易于实施的对策来挫败[4]中的攻击。将结构添加到要编码的数据中,严格检查PKCS#1 v1.5的一致性和解密消息中的其他冗余,以及在基于PKCS#1 v1.5的客户机-服务器协议中整合错误消息,这些都是有效的对策,不涉及对基于PKCS#1 v1.5的协议的更改。[5]中讨论了这些和其他对策。
Notes. The following passages describe some security recommendations pertaining to the use of RSAES-PKCS1-v1_5. Recommendations from version 1.5 of this document are included as well as new recommendations motivated by cryptanalytic advances made in the intervening years.
笔记。以下段落描述了与RSAES-PKCS1-v1_5使用相关的一些安全建议。本文件第1.5版中的建议以及受其间几年密码分析进展推动的新建议也包括在内。
-It is recommended that the pseudorandom octets in EME-PKCS1-v1_5 be generated independently for each encryption process, especially if the same data is input to more than one encryption process. Hastad's results [13] are one motivation for this recommendation.
-建议为每个加密过程独立生成EME-PKCS1-v1_5中的伪随机八位组,尤其是当相同数据输入到多个加密过程时。Hastad的结果[13]是这项建议的动机之一。
-The padding string PS in EME-PKCS1-v1_5 is at least eight octets long, which is a security condition for public-key operations that prevents an attacker from recovering data by trying all possible encryption blocks.
-EME-PKCS1-v1_5中的填充字符串PS至少有八个八位字节长,这是公钥操作的安全条件,可防止攻击者通过尝试所有可能的加密块来恢复数据。
-The pseudorandom octets can also help thwart an attack due to Coppersmith et al. [7] when the size of the message to be encrypted is kept small. The attack works on low-exponent RSA when similar messages are encrypted with the same public key. More specifically, in one flavor of the attack, when two inputs to RSAEP agree on a large fraction of bits (8/9) and low-exponent RSA (e = 3) is used to encrypt both of them, it may be possible to recover both inputs with the attack. Another flavor of the attack is successful in decrypting a single ciphertext when a large fraction (2/3) of the input to RSAEP is already known. For typical applications, the message to be encrypted is short (e.g., a 128-bit symmetric key) so not enough information will be known or common between two messages to enable the attack. However, if a long message is encrypted, or if part of a message is known, then the attack may be a concern. In any case, the RSAEP-OAEP scheme overcomes the attack.
-当要加密的消息的大小保持较小时,伪随机八位组还可以帮助阻止Coppersmith等人[7]提出的攻击。当相似的消息使用相同的公钥加密时,该攻击在低指数RSA上有效。更具体地说,在一种类型的攻击中,当RSAEP的两个输入在很大一部分位(8/9)上一致,并且使用低指数RSA(e=3)对它们进行加密时,可能会通过攻击恢复两个输入。另一种攻击方式是,当RSAEP的大部分输入(2/3)已知时,成功解密单个密文。对于典型应用程序,要加密的消息很短(例如,128位对称密钥),因此两条消息之间没有足够的已知信息或公共信息来发起攻击。但是,如果长消息被加密,或者消息的一部分是已知的,那么攻击可能是一个问题。无论如何,RSAEP-OAEP方案克服了攻击。
RSAES-PKCS1-V1_5-ENCRYPT ((n, e), M)
RSAES-PKCS1-V1_5-加密((n,e),M)
Input: (n, e) recipient's RSA public key M message to be encrypted, an octet string of length at most k-11 octets, where k is the length in octets of the modulus n
输入:(n,e)要加密的收件人的RSA公钥M消息,长度最多为k-11个八位字节的八位字节字符串,其中k是模数n的八位字节长度
Output: C ciphertext, an octet string of length k; or "message too long"
输出:C密文,长度为k的八位字符串;或者“信息太长”
Steps:
步骤:
1. Apply the EME-PKCS1-v1_5 encoding operation (Section 9.1.2.1) to the message M to produce an encoded message EM of length k-1 octets:
1. 对消息M应用EME-PKCS1-v1_5编码操作(第9.1.2.1节),以生成长度为k-1八位字节的编码消息EM:
EM = EME-PKCS1-V1_5-ENCODE (M, k-1)
EM=EME-PKCS1-V1_5-编码(M,k-1)
If the encoding operation outputs "message too long," then output "message too long" and stop.
如果编码操作输出“message too long”,则输出“message too long”并停止。
2. Convert the encoded message EM to an integer message representative m: m = OS2IP (EM)
2. 将编码的消息EM转换为代表m:m=OS2IP(EM)的整数消息
3. Apply the RSAEP encryption primitive (Section 5.1.1) to the public key (n, e) and the message representative m to produce an integer ciphertext representative c: c = RSAEP ((n, e), m)
3. 将RSAEP加密原语(第5.1.1节)应用于公钥(n,e)和消息代表m,以产生整数密文代表c:c=RSAEP((n,e),m)
4. Convert the ciphertext representative c to a ciphertext C of length k octets: C = I2OSP (c, k)
4. 将密文代表c转换为长度为k个八位字节的密文c:c=I2OSP(c,k)
5. Output the ciphertext C.
5. 输出密文C。
RSAES-PKCS1-V1_5-DECRYPT (K, C)
RSAES-PKCS1-V1_5-解密(K,C)
Input: K recipient's RSA private key C ciphertext to be decrypted, an octet string of length k, where k is the length in octets of the modulus n
输入:K收件人的RSA私钥C待解密密文,长度为K的八位字节字符串,其中K是模数n的八位字节长度
Output: M message, an octet string of length at most k-11; or "decryption error"
输出:M消息,长度不超过k-11的八位字节字符串;或“解密错误”
Steps:
步骤:
1. If the length of the ciphertext C is not k octets, output "decryption error" and stop.
1. 如果密文C的长度不是k个八位字节,则输出“解密错误”并停止。
2. Convert the ciphertext C to an integer ciphertext representative c: c = OS2IP (C).
2. 将密文C转换为整数密文代表C:C=OS2IP(C)。
3. Apply the RSADP decryption primitive to the private key (n, d) and the ciphertext representative c to produce an integer message representative m: m = RSADP ((n, d), c).
3. 将RSADP解密原语应用于私钥(n,d)和密文代表c,以生成代表m:m=RSADP((n,d),c)的整数消息。
If RSADP outputs "ciphertext out of range," then output "decryption error" and stop.
如果RSADP输出“密文超出范围”,则输出“解密错误”并停止。
4. Convert the message representative m to an encoded message EM of length k-1 octets: EM = I2OSP (m, k-1)
4. 将消息代表m转换为长度为k-1八位字节的编码消息EM:EM=I2OSP(m,k-1)
If I2OSP outputs "integer too large," then output "decryption error" and stop.
如果I2OSP输出“整数太大”,则输出“解密错误”并停止。
5. Apply the EME-PKCS1-v1_5 decoding operation to the encoded message EM to recover a message M: M = EME-PKCS1-V1_5-DECODE (EM).
5. 将EME-PKCS1-v1_5解码操作应用于编码消息EM,以恢复消息M:M=EME-PKCS1-v1_5解码(EM)。
If the decoding operation outputs "decoding error," then output "decryption error" and stop.
如果解码操作输出“解码错误”,则输出“解密错误”并停止。
6. Output the message M.
6. 输出消息M。
Note. It is important that only one type of error message is output by EME-PKCS1-v1_5, as ensured by steps 4 and 5. If this is not done, then an adversary may be able to use information extracted form the type of error message received to mount a chosen-ciphertext attack such as the one found in [4].
笔记重要的是,EME-PKCS1-v1_5只输出一种类型的错误消息,如步骤4和5所示。如果不这样做,则敌方可能能够使用从接收到的错误消息类型中提取的信息来发起选定的密文攻击,如[4]中所述。
A signature scheme with appendix consists of a signature generation operation and a signature verification operation, where the signature generation operation produces a signature from a message with a signer's private key, and the signature verification operation verifies the signature on the message with the signer's corresponding public key. To verify a signature constructed with this type of scheme it is necessary to have the message itself. In this way, signature schemes with appendix are distinguished from signature schemes with message recovery, which are not supported in this document.
带附录的签名方案由签名生成操作和签名验证操作组成,其中签名生成操作使用签名者的私钥从消息生成签名,签名验证操作使用签名者相应的公钥验证消息上的签名。要验证用这种类型的方案构造的签名,必须具有消息本身。这样,带有附录的签名方案与带有消息恢复的签名方案是不同的,这在本文档中不受支持。
A signature scheme with appendix can be employed in a variety of applications. For instance, X.509 [6] employs such a scheme to authenticate the content of a certificate; the signature scheme with appendix defined here would be a suitable signature algorithm in that context. A related signature scheme could be employed in PKCS #7 [21], although for technical reasons, the current version of PKCS #7 separates a hash function from a signature scheme, which is different than what is done here.
带有附录的签名方案可以应用于多种应用。例如,X.509[6]使用这种方案来认证证书的内容;这里定义的带有附录的签名方案将是该上下文中合适的签名算法。PKCS#7[21]中可以使用相关的签名方案,尽管出于技术原因,PKCS#7的当前版本将哈希函数与签名方案分离,这与此处所做的不同。
One signature scheme with appendix is specified in this document: RSASSA-PKCS1-v1_5.
本文件规定了一个带有附录的签名方案:RSASSA-PKCS1-v1_5。
The signature scheme with appendix given here follows a general model similar to that employed in IEEE P1363, by combining signature and verification primitives with an encoding method for signatures. The signature generation operations apply a message encoding operation to a message to produce an encoded message, which is then converted to an integer message representative. A signature primitive is then applied to the message representative to produce the signature. The signature verification operations apply a signature verification primitive to the signature to recover a message representative, which is then converted to an octet string. The message encoding operation is again applied to the message, and the result is compared to the recovered octet string. If there is a match, the signature is considered valid. (Note that this approach assumes that the signature and verification primitives have the message-recovery form and the encoding method is deterministic, as is the case for RSASP1/RSAVP1 and EMSA-PKCS1-v1_5. The signature generation and verification operations have a different form in P1363 for other primitives and encoding methods.)
这里给出的带有附录的签名方案遵循与IEEE P1363中采用的模型类似的一般模型,通过将签名和验证原语与签名的编码方法相结合。签名生成操作将消息编码操作应用于消息以生成编码消息,然后将其转换为整数消息代表。然后将签名原语应用于消息代表以生成签名。签名验证操作将签名验证原语应用于签名,以恢复消息代表,然后将其转换为八位字节字符串。消息编码操作再次应用于消息,并将结果与恢复的八位字节字符串进行比较。如果存在匹配项,则认为签名有效。(注意,这种方法假设签名和验证原语具有消息恢复形式,编码方法是确定性的,就像RSASP1/RSAVP1和EMSA-PKCS1-v1_5一样。签名生成和验证操作在P1363中对于其他原语和编码方法具有不同的形式。)
Editor's note. RSA Laboratories is investigating the possibility of including a scheme based on the PSS encoding methods specified in [3], which would be recommended for new applications.
编者按。RSA Laboratories正在研究是否可能包含一个基于[3]中规定的PSS编码方法的方案,该方案将推荐用于新的应用。
RSASSA-PKCS1-v1_5 combines the RSASP1 and RSAVP1 primitives with the EME-PKCS1-v1_5 encoding method. It is compatible with the IFSSA scheme defined in the draft P1363 where the signature and verification primitives are IFSP-RSA1 and IFVP-RSA1 and the message encoding method is EMSA-PKCS1-v1_5 (which is not defined in P1363). The length of messages on which RSASSA-PKCS1-v1_5 can operate is either unrestricted or constrained by a very large number, depending on the hash function underlying the message encoding method.
RSASSA-PKCS1-v1_5将RSASP1和RSAVP1原语与EME-PKCS1-v1_5编码方法相结合。它与P1363草案中定义的IFSSA方案兼容,其中签名和验证原语为IFSP-RSA1和IFVP-RSA1,消息编码方法为EMSA-PKCS1-v1_5(P1363中未定义)。RSASSA-PKCS1-v1_5可操作的消息长度不受限制或受很大数量的限制,具体取决于消息编码方法的哈希函数。
Assuming that the hash function in EMSA-PKCS1-v1_5 has appropriate properties and the key size is sufficiently large, RSASSA-PKCS1-v1_5 provides secure signatures, meaning that it is computationally infeasible to generate a signature without knowing the private key, and computationally infeasible to find a message with a given signature or two messages with the same signature. Also, in the encoding method EMSA-PKCS1-v1_5, a hash function identifier is embedded in the encoding. Because of this feature, an adversary must invert or find collisions of the particular hash function being used; attacking a different hash function than the one selected by the signer is not useful to the adversary.
假设EMSA-PKCS1-v1_5中的哈希函数具有适当的属性且密钥大小足够大,RSASSA-PKCS1-v1_5提供安全签名,这意味着在不知道私钥的情况下生成签名在计算上是不可行的,在计算上不可能找到具有给定签名的消息或具有相同签名的两条消息。此外,在编码方法EMSA-PKCS1-v1_5中,在编码中嵌入了散列函数标识符。由于此特性,对手必须反转或找到所使用的特定哈希函数的冲突;攻击与签名者选择的散列函数不同的散列函数对对手没有用处。
RSASSA-PKCS1-V1_5-SIGN (K, M) Input: K signer's RSA private ke M message to be signed, an octet string
RSASSA-PKCS1-V1_5-SIGN(K,M)输入:要签名的K签名者的RSA私有ke M消息,八位字节字符串
Output: S signature, an octet string of length k, where k is the length in octets of the modulus n; "message too long" or "modulus too short" Steps:
输出:S签名,长度为k的八位字节字符串,其中k是模数n的八位字节长度;“消息太长”或“模数太短”步骤:
1. Apply the EMSA-PKCS1-v1_5 encoding operation (Section 9.2.1) to the message M to produce an encoded message EM of length k-1 octets:
1. 对消息M应用EMSA-PKCS1-v1_5编码操作(第9.2.1节),以生成长度为k-1八位字节的编码消息EM:
EM = EMSA-PKCS1-V1_5-ENCODE (M, k-1)
EM=EMSA-PKCS1-V1_5-ENCODE(M,k-1)
If the encoding operation outputs "message too long," then output "message too long" and stop. If the encoding operation outputs "intended encoded message length too short" then output "modulus too short".
如果编码操作输出“message too long”,则输出“message too long”并停止。如果编码操作输出“预期编码消息长度太短”,则输出“模数太短”。
2. Convert the encoded message EM to an integer message representative m: m = OS2IP (EM)
2. 将编码的消息EM转换为代表m:m=OS2IP(EM)的整数消息
3. Apply the RSASP1 signature primitive (Section 5.2.1) to the private key K and the message representative m to produce an integer signature representative s: s = RSASP1 (K, m)
3. 将rsap1签名原语(第5.2.1节)应用于私钥K和消息代表m,以生成代表s:s=rsap1(K,m)的整数签名
4. Convert the signature representative s to a signature S of length k octets: S = I2OSP (s, k)
4. 将签名代表s转换为长度为k个八位字节的签名s:s=I2OSP(s,k)
5. Output the signature S.
5. 输出签名S。
RSASSA-PKCS1-V1_5-VERIFY ((n, e), M, S)
RSASSA-PKCS1-V1_5-验证(北、东、南)
Input: (n, e) signer's RSA public key M message whose signature is to be verified, an octet string S signature to be verified, an octet string of length k, where k is the length in octets of the modulus n
输入:(n,e)签名者的RSA公钥M消息,其签名将被验证,一个八位组字符串s签名将被验证,一个长度为k的八位组字符串,其中k是模n的八位组长度
Output: "valid signature," "invalid signature," or "message too long", or "modulus too short"
输出:“有效签名”、“无效签名”或“消息太长”或“模数太短”
Steps:
步骤:
1. If the length of the signature S is not k octets, output "invalid signature" and stop.
1. 如果签名S的长度不是k个八位字节,则输出“无效签名”并停止。
2. Convert the signature S to an integer signature representative s:
2. 将签名S转换为整数签名S:
s = OS2IP (S)
s=OS2IP(s)
3. Apply the RSAVP1 verification primitive (Section 5.2.2) to the public key (n, e) and the signature representative s to produce an integer message representative m:
3. 将RSAVP1验证原语(第5.2.2节)应用于公钥(n,e)和签名代表s,以生成整数消息代表m:
m = RSAVP1 ((n, e), s) If RSAVP1 outputs "invalid" then output "invalid signature" and stop.
m=RSAVP1((n,e),s)如果RSAVP1输出“无效”,则输出“无效签名”并停止。
4. Convert the message representative m to an encoded message EM of length k-1 octets: EM = I2OSP (m, k-1)
4. 将消息代表m转换为长度为k-1八位字节的编码消息EM:EM=I2OSP(m,k-1)
If I2OSP outputs "integer too large," then output "invalid signature" and stop.
如果I2OSP输出“整数太大”,则输出“无效签名”并停止。
5. Apply the EMSA-PKCS1-v1_5 encoding operation (Section 9.2.1) to the message M to produce a second encoded message EM' of length k-1 octets:
5. 将EMSA-PKCS1-v1_5编码操作(第9.2.1节)应用于消息M,以生成长度为k-1八位字节的第二条编码消息EM':
EM' = EMSA-PKCS1-V1_5-ENCODE (M, k-1)
EM'=EMSA-PKCS1-V1_5-ENCODE(M,k-1)
If the encoding operation outputs "message too long," then output "message too long" and stop. If the encoding operation outputs "intended encoded message length too short" then output "modulus too short".
如果编码操作输出“message too long”,则输出“message too long”并停止。如果编码操作输出“预期编码消息长度太短”,则输出“模数太短”。
6. Compare the encoded message EM and the second encoded message EM'. If they are the same, output "valid signature"; otherwise, output "invalid signature."
6. 比较编码消息EM和第二个编码消息EM'。如果相同,则输出“有效签名”;否则,输出“无效签名”
Encoding methods consist of operations that map between octet string messages and integer message representatives.
编码方法由八位字节字符串消息和整数消息表示之间映射的操作组成。
Two types of encoding method are considered in this document: encoding methods for encryption, encoding methods for signatures with appendix.
本文件考虑了两种类型的编码方法:加密的编码方法和带有附录的签名的编码方法。
An encoding method for encryption consists of an encoding operation and a decoding operation. An encoding operation maps a message M to a message representative EM of a specified length; the decoding operation maps a message representative EM back to a message. The encoding and decoding operations are inverses.
一种用于加密的编码方法包括编码操作和解码操作。编码操作将消息M映射到指定长度的代表EM的消息;解码操作将代表EM的消息映射回消息。编码和解码操作是相反的。
The message representative EM will typically have some structure that can be verified by the decoding operation; the decoding operation will output "decoding error" if the structure is not present. The encoding operation may also introduce some randomness, so that different applications of the encoding operation to the same message will produce different representatives.
消息代表EM通常将具有可由解码操作验证的某种结构;如果结构不存在,解码操作将输出“解码错误”。编码操作还可能引入一些随机性,因此编码操作对同一消息的不同应用将产生不同的代表。
Two encoding methods for encryption are employed in the encryption schemes and are specified here: EME-OAEP and EME-PKCS1-v1_5.
加密方案中使用了两种加密编码方法,并在此处指定:EME-OAEP和EME-PKCS1-v1_5。
This encoding method is parameterized by the choice of hash function and mask generation function. Suggested hash and mask generation functions are given in Section 10. This encoding method is based on the method found in [2].
该编码方法通过选择哈希函数和掩码生成函数进行参数化。第10节给出了建议的哈希和掩码生成函数。此编码方法基于[2]中的方法。
EME-OAEP-ENCODE (M, P, emLen)
EME-OAEP-ENCODE(M、P、emLen)
Options: Hash hash function (hLen denotes the length in octet of the hash function output) MGF mask generation function
选项:哈希哈希函数(hLen表示哈希函数输出的八位字节长度)MGF掩码生成函数
Input: M message to be encoded, an octet string of length at most emLen-1-2hLen P encoding parameters, an octet string emLen intended length in octets of the encoded message, at least 2hLen+1
输入:要编码的M消息,长度不超过emLen-1-2hLen P编码参数的八位字节字符串,编码消息的八位字节长度至少为2hLen+1的八位字节字符串
Output: EM encoded message, an octet string of length emLen; "message too long" or "parameter string too long"
输出:EM编码消息,长度为emLen的八位字节字符串;“消息太长”或“参数字符串太长”
Steps:
步骤:
1. If the length of P is greater than the input limitation for the hash function (2^61-1 octets for SHA-1) then output "parameter string too long" and stop.
1. 如果P的长度大于哈希函数的输入限制(SHA-1为2^61-1个八位字节),则输出“参数字符串过长”并停止。
2. If ||M|| > emLen-2hLen-1 then output "message too long" and stop.
2. 如果| | M | |>emLen-2hLen-1,则输出“消息太长”并停止。
3. Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero octets. The length of PS may be 0.
3. 生成由emLen-| | M | |-2hLen-1零个八位字节组成的八位字节字符串PS。PS的长度可以是0。
4. Let pHash = Hash(P), an octet string of length hLen.
4. 设pHash=Hash(P),长度为hLen的八位字节字符串。
5. Concatenate pHash, PS, the message M, and other padding to form a data block DB as: DB = pHash || PS || 01 || M
5. 连接pHash、PS、消息M和其他填充以形成数据块DB:DB=pHash | | PS | | 01 | | M
6. Generate a random octet string seed of length hLen.
6. 生成长度为hLen的随机八位组字符串种子。
7. Let dbMask = MGF(seed, emLen-hLen).
7. 设dbMask=MGF(seed,emLen-hLen)。
8. Let maskedDB = DB \xor dbMask.
8. 让maskedDB=DB\xor dbMask。
9. Let seedMask = MGF(maskedDB, hLen).
9. 设seedMask=MGF(maskedDB,hLen)。
10. Let maskedSeed = seed \xor seedMask.
10. 让maskedSeed=seed\xor seedMask。
11. Let EM = maskedSeed || maskedDB.
11. 设EM=maskedSeed | | maskedDB。
12. Output EM.
12. 输出EM。
Options: Hash hash function (hLen denotes the length in octet of the hash function output)
选项:哈希函数(hLen表示哈希函数输出的八位字节长度)
MGF mask generation function
MGF掩模生成函数
Input:
输入:
EM encoded message, an octet string of length at least 2hLen+1 P encoding parameters, an octet string
EM编码消息,长度至少为2hLen+1P编码参数的八位字节字符串,八位字节字符串
Output: M recovered message, an octet string of length at most ||EM||-1-2hLen; or "decoding error"
输出:M恢复消息,长度不超过| | EM | | |-1-2hLen的八位字节字符串;或“解码错误”
Steps:
步骤:
1. If the length of P is greater than the input limitation for the hash function (2^61-1 octets for SHA-1) then output "parameter string too long" and stop.
1. 如果P的长度大于哈希函数的输入限制(SHA-1为2^61-1个八位字节),则输出“参数字符串过长”并停止。
2. If ||EM|| < 2hLen+1, then output "decoding error" and stop.
2. 如果| | EM | |<2hLen+1,则输出“解码错误”并停止。
3. Let maskedSeed be the first hLen octets of EM and let maskedDB be the remaining ||EM|| - hLen octets.
3. 设maskedSeed为EM的第一个hLen八位组,maskedDB为剩余的| | EM | |-hLen八位组。
4. Let seedMask = MGF(maskedDB, hLen).
4. 设seedMask=MGF(maskedDB,hLen)。
5. Let seed = maskedSeed \xor seedMask.
5. 让seed=maskedSeed\xor seedMask。
6. Let dbMask = MGF(seed, ||EM|| - hLen).
6. 设dbMask=MGF(seed,| | EM | |-hLen)。
7. Let DB = maskedDB \xor dbMask.
7. 设DB=maskedDB\xor dbMask。
8. Let pHash = Hash(P), an octet string of length hLen.
8. 设pHash=Hash(P),长度为hLen的八位字节字符串。
9. Separate DB into an octet string pHash' consisting of the first hLen octets of DB, a (possibly empty) octet string PS consisting of consecutive zero octets following pHash', and a message M as:
9. 将DB分为一个八位字节串pHash',由DB的第一个hLen八位字节组成,一个(可能为空)八位字节串PS由pHash'之后的连续零个八位字节组成,以及一个消息M,如:
DB = pHash' || PS || 01 || M
DB=相位'| | PS | | 01 | | M
If there is no 01 octet to separate PS from M, output "decoding error" and stop.
如果没有01个八位组将PS与M分开,则输出“解码错误”并停止。
10. If pHash' does not equal pHash, output "decoding error" and stop.
10. 如果pHash'不等于pHash,则输出“解码错误”并停止。
11. Output M.
11. 输出M。
This encoding method is the same as in PKCS #1 v1.5, Section 8: Encryption Process.
此编码方法与PKCS#1 v1.5第8节:加密过程中的编码方法相同。
EME-PKCS1-V1_5-ENCODE (M, emLen)
EME-PKCS1-V1_5-编码(M,emLen)
Input: M message to be encoded, an octet string of length at most emLen-10 emLen intended length in octets of the encoded message
输入:M要编码的消息,长度最多为emLen-10 emLen的八位字节字符串,以编码消息的八位字节为单位
Output: EM encoded message, an octet string of length emLen; or "message too long"
输出:EM编码消息,长度为emLen的八位字节字符串;或者“信息太长”
Steps:
步骤:
1. If the length of the message M is greater than emLen - 10 octets, output "message too long" and stop.
1. 如果消息长度M大于emLen-10个八位字节,则输出“消息太长”并停止。
2. Generate an octet string PS of length emLen-||M||-2 consisting of pseudorandomly generated nonzero octets. The length of PS will be at least 8 octets.
2. 生成长度为emLen-| | M | |-2的八位元字符串PS,由伪随机生成的非零八位元组成。PS的长度至少为8个八位字节。
3. Concatenate PS, the message M, and other padding to form the encoded message EM as:
3. 连接PS、消息M和其他填充以形成编码消息EM,如下所示:
EM = 02 || PS || 00 || M
EM=02 | PS | 00 | M
4. Output EM.
4. 输出EM。
EME-PKCS1-V1_5-DECODE (EM)
EME-PKCS1-V1_5-解码(EM)
Input: EM encoded message, an octet string of length at least 10
输入:EM编码消息,长度至少为10的八位字节字符串
Output: M recovered message, an octet string of length at most ||EM||-10; or "decoding error"
输出:M恢复消息,长度不超过| | EM | |-10的八位字节字符串;或“解码错误”
Steps:
步骤:
1. If the length of the encoded message EM is less than 10, output "decoding error" and stop.
1. 如果编码消息EM的长度小于10,则输出“解码错误”并停止。
2. Separate the encoded message EM into an octet string PS consisting of nonzero octets and a message M as: EM = 02 || PS || 00 || M.
2. 将编码后的消息EM分离为八位字节字符串PS,由非零八位字节和消息M组成:EM=02 | | PS | 00 | M。
If the first octet of EM is not 02, or if there is no 00 octet to separate PS from M, output "decoding error" and stop.
如果EM的第一个八位组不是02,或者如果没有00个八位组将PS与M分开,则输出“解码错误”并停止。
3. If the length of PS is less than 8 octets, output "decoding error" and stop.
3. 如果PS的长度小于8个八位字节,则输出“解码错误”并停止。
4. Output M.
4. 输出M。
An encoding method for signatures with appendix, for the purposes of this document, consists of an encoding operation. An encoding operation maps a message M to a message representative EM of a specified length. (In future versions of this document, encoding methods may be added that also include a decoding operation.)
就本文件而言,附录签名的编码方法包括编码操作。编码操作将消息M映射到指定长度的代表EM的消息。(在本文档的未来版本中,可能会添加编码方法,其中也包括解码操作。)
One encoding method for signatures with appendix is employed in the encryption schemes and is specified here: EMSA-PKCS1-v1_5.
在加密方案中使用了一种带有附录的签名编码方法,并在此处指定:EMSA-PKCS1-v1_5。
This encoding method only has an encoding operation.
此编码方法只有一个编码操作。
EMSA-PKCS1-v1_5-ENCODE (M, emLen)
EMSA-PKCS1-v1_5-编码(M,emLen)
Option: Hash hash function (hLen denotes the length in octet of the hash function output)
选项:哈希函数(hLen表示哈希函数输出的八位字节长度)
Input: M message to be encoded emLen intended length in octets of the encoded message, at least ||T|| + 10, where T is the DER encoding of a certain value computed during the encoding operation
输入:M要编码的消息emLen编码消息的预期长度(以八位字节为单位),至少为| | T | |+10,其中T是在编码操作期间计算的特定值的DER编码
Output: EM encoded message, an octet string of length emLen; or "message too long" or "intended encoded message length too short"
输出:EM编码消息,长度为emLen的八位字节字符串;或“消息太长”或“预期编码消息长度太短”
Steps:
步骤:
1. Apply the hash function to the message M to produce a hash value H:
1. 将哈希函数应用于消息M以生成哈希值H:
H = Hash(M).
H=散列(M)。
If the hash function outputs "message too long," then output "message too long".
如果哈希函数输出“message too long”,则输出“message too long”。
2. Encode the algorithm ID for the hash function and the hash value into an ASN.1 value of type DigestInfo (see Section 11) with the Distinguished Encoding Rules (DER), where the type DigestInfo has the syntax
2. 使用可分辨编码规则(DER)将哈希函数的算法ID和哈希值编码为DigestInfo类型的ASN.1值(参见第11节),其中DigestInfo类型具有以下语法
DigestInfo::=SEQUENCE{ digestAlgorithm AlgorithmIdentifier, digest OCTET STRING }
DigestInfo::=SEQUENCE{ digestAlgorithm AlgorithmIdentifier, digest OCTET STRING }
The first field identifies the hash function and the second contains the hash value. Let T be the DER encoding.
第一个字段标识哈希函数,第二个字段包含哈希值。让T成为编码的基础。
3. If emLen is less than ||T|| + 10 then output "intended encoded message length too short".
3. 如果emLen小于| | T | |+10,则输出“预期编码消息长度太短”。
4. Generate an octet string PS consisting of emLen-||T||-2 octets with value FF (hexadecimal). The length of PS will be at least 8 octets.
4. 生成一个八位字节字符串PS,由值为FF(十六进制)的emLen-| | T | |-2个八位字节组成。PS的长度至少为8个八位字节。
5. Concatenate PS, the DER encoding T, and other padding to form the encoded message EM as: EM = 01 || PS || 00 || T
5. 将PS、DER编码T和其他填充连接起来,形成编码消息EM:EM=01 | | PS | | 00 | T
6. Output EM.
6. 输出EM。
This section specifies the hash functions and the mask generation functions that are mentioned in the encoding methods (Section 9).
本节规定了编码方法(第9节)中提到的哈希函数和掩码生成函数。
Hash functions are used in the operations contained in Sections 7, 8 and 9. Hash functions are deterministic, meaning that the output is completely determined by the input. Hash functions take octet strings of variable length, and generate fixed length octet strings. The hash functions used in the operations contained in Sections 7, 8 and 9 should be collision resistant. This means that it is infeasible to find two distinct inputs to the hash function that produce the same output. A collision resistant hash function also has the desirable property of being one-way; this means that given an output, it is infeasible to find an input whose hash is the specified output. The property of collision resistance is especially desirable for RSASSA-PKCS1-v1_5, as it makes it infeasible to forge signatures. In addition to the requirements, the hash function should yield a mask generation function (Section 10.2) with pseudorandom output.
散列函数用于第7、8和9节中包含的操作。散列函数是确定性的,这意味着输出完全由输入决定。哈希函数获取可变长度的八位字符串,并生成固定长度的八位字符串。第7、8和9节中包含的操作中使用的哈希函数应该是抗冲突的。这意味着不可能找到产生相同输出的哈希函数的两个不同输入。抗冲突散列函数还具有单向的理想特性;这意味着给定一个输出,不可能找到散列为指定输出的输入。RSASSA-PKCS1-v1_5的抗碰撞性能尤其理想,因为它使伪造签名变得不可行。除要求外,哈希函数还应产生具有伪随机输出的掩码生成函数(第10.2节)。
Three hash functions are recommended for the encoding methods in this document: MD2 [15], MD5 [17], and SHA-1 [16]. For the EME-OAEP encoding method, only SHA-1 is recommended. For the EMSA-PKCS1-v1_5 encoding method, SHA-1 is recommended for new applications. MD2 and MD5 are recommended only for compatibility with existing applications based on PKCS #1 v1.5.
本文档中的编码方法推荐使用三个哈希函数:MD2[15]、MD5[17]和SHA-1[16]。对于EME-OAEP编码方法,建议仅使用SHA-1。对于EMSA-PKCS1-v1_5编码方法,建议将SHA-1用于新应用。MD2和MD5仅建议与基于PKCS#1 v1.5的现有应用程序兼容。
The hash functions themselves are not defined here; readers are referred to the appropriate references ([15], [17] and [16]).
这里没有定义散列函数本身;读者可参考适当的参考文献([15]、[17]和[16])。
Note. Version 1.5 of this document also allowed for the use of MD4 in signature schemes. The cryptanalysis of MD4 has progressed significantly in the intervening years. For example, Dobbertin [10] demonstrated how to find collisions for MD4 and that the first two rounds of MD4 are not one-way [11]. Because of these results and others (e.g. [9]), MD4 is no longer recommended. There have also been advances in the cryptanalysis of MD2 and MD5, although not enough to warrant removal from existing applications. Rogier and Chauvaud [19] demonstrated how to find collisions in a modified version of MD2. No one has demonstrated how to find collisions for the full MD5 algorithm, although partial results have been found (e.g. [8]). For new applications, to address these concerns, SHA-1 is preferred.
笔记本文件1.5版还允许在签名方案中使用MD4。在此期间,MD4的密码分析取得了重大进展。例如,Dobbertin[10]演示了如何找到MD4的碰撞,并且MD4的前两轮不是单向的[11]。由于这些结果和其他结果(例如[9]),MD4不再被推荐。MD2和MD5的密码分析也取得了进展,尽管还不足以保证从现有应用程序中删除。Rogier和Chauvaud[19]演示了如何在MD2的修改版本中找到碰撞。虽然已经找到了部分结果(例如[8]),但没有人演示如何为完整的MD5算法找到冲突。对于新应用,为了解决这些问题,首选SHA-1。
A mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. There may be restrictions on the length of the input and output octet strings, but such bounds are generally very large. Mask generation functions are deterministic; the octet string output is completely determined by the input octet string. The output of a mask generation function should be pseudorandom, that is, if the seed to the function is unknown, it should be infeasible to distinguish the output from a truly random string. The plaintext-awareness of RSAES-OAEP relies on the random nature of the output of the mask generation function, which in turn relies on the random nature of the underlying hash.
掩码生成函数将可变长度的八位字节字符串和所需的输出长度作为输入,并输出所需长度的八位字节字符串。输入和输出八位字节字符串的长度可能有限制,但这种限制通常非常大。掩模生成函数是确定性的;八位字节字符串输出完全由输入八位字节字符串决定。掩码生成函数的输出应该是伪随机的,也就是说,如果函数的种子未知,则不可能将输出与真正的随机字符串区分开来。RSAES-OAEP的明文感知依赖于掩码生成函数输出的随机性,而掩码生成函数的输出又依赖于底层散列的随机性。
One mask generation function is recommended for the encoding methods in this document, and is defined here: MGF1, which is based on a hash function. Future versions of this document may define other mask generation functions.
本文档中的编码方法建议使用一个掩码生成函数,在这里定义为:MGF1,它基于哈希函数。本文档的未来版本可能会定义其他掩码生成功能。
MGF1 is a Mask Generation Function based on a hash function.
MGF1是基于哈希函数的掩码生成函数。
MGF1 (Z, l)
MGF1(Z,l)
Options: Hash hash function (hLen denotes the length in octets of the hash function output)
选项:哈希函数(hLen表示哈希函数输出的长度(以八位字节为单位)
Input: Z seed from which mask is generated, an octet string l intended length in octets of the mask, at most 2^32(hLen)
输入:生成掩码的Z种子,一个八位字节字符串,以掩码的八位字节为单位,最大长度为2^32(hLen)
Output: mask mask, an octet string of length l; or "mask too long"
输出:掩码掩码,长度为l的八位字节字符串;或者“面具太长”
Steps:
步骤:
1.If l > 2^32(hLen), output "mask too long" and stop.
1.如果l>2^32(hLen),则输出“掩码过长”并停止。
2.Let T be the empty octet string.
2.设T为空的八位字节字符串。
3.For counter from 0 to \lceil{l / hLen}\rceil-1, do the following:
3.对于从0到\lceil{l/hLen}\rceil-1的计数器,请执行以下操作:
a.Convert counter to an octet string C of length 4 with the primitive I2OSP: C = I2OSP (counter, 4)
a、 使用原语I2OSP:C=I2OSP(计数器,4)将计数器转换为长度为4的八位字节字符串C
b.Concatenate the hash of the seed Z and C to the octet string T: T = T || Hash (Z || C)
b、 将种子Z和C的散列连接到八位字节字符串T:T=T | |散列(Z | | C)
4.Output the leading l octets of T as the octet string mask.
4.输出T的前导l个八位字节作为八位字节字符串掩码。
This section defines ASN.1 object identifiers for RSA public and private keys, and defines the types RSAPublicKey and RSAPrivateKey. The intended application of these definitions includes X.509 certificates, PKCS #8 [22], and PKCS #12 [23].
本节定义RSA公钥和私钥的ASN.1对象标识符,并定义RSAPublicKey和RSAPrivateKey的类型。这些定义的预期应用包括X.509证书、PKCS#8[22]和PKCS#12[23]。
The object identifier rsaEncryption identifies RSA public and private keys as defined in Sections 11.1.1 and 11.1.2. The parameters field associated with this OID in an AlgorithmIdentifier shall have type NULL.
对象标识符RSA加密识别第11.1.1节和第11.1.2节中定义的RSA公钥和私钥。算法标识符中与此OID关联的参数字段的类型应为NULL。
rsaEncryption OBJECT IDENTIFIER ::= {pkcs-1 1}
rsaEncryption OBJECT IDENTIFIER ::= {pkcs-1 1}
All of the definitions in this section are the same as in PKCS #1 v1.5.
本节中的所有定义与PKCS#1 v1.5中的定义相同。
An RSA public key should be represented with the ASN.1 type RSAPublicKey:
RSA公钥应使用ASN.1类型的RSAPublicKey表示:
RSAPublicKey::=SEQUENCE{ modulus INTEGER, -- n publicExponent INTEGER -- e }
RSAPublicKey::=SEQUENCE{ modulus INTEGER, -- n publicExponent INTEGER -- e }
(This type is specified in X.509 and is retained here for compatibility.)
(此类型在X.509中指定,并保留在此处以实现兼容性。)
The fields of type RSAPublicKey have the following meanings: -modulus is the modulus n. -publicExponent is the public exponent e.
RSAPublicKey类型的字段具有以下含义:-模数是模数n-publicExponent是公共指数e。
An RSA private key should be represented with ASN.1 type RSAPrivateKey:
RSA私钥应使用ASN.1类型的RSAPrivateKey表示:
RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER -- (inverse of q) mod p }
RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER -- (inverse of q) mod p }
Version ::= INTEGER
Version ::= INTEGER
The fields of type RSAPrivateKey have the following meanings:
RSAPrivateKey类型的字段具有以下含义:
-version is the version number, for compatibility with future revisions of this document. It shall be 0 for this version of the document. -modulus is the modulus n. -publicExponent is the public exponent e. -privateExponent is the private exponent d. -prime1 is the prime factor p of n. -prime2 is the prime factor q of n. -exponent1 is d mod (p-1). -exponent2 is d mod (q-1). -coefficient is the Chinese Remainder Theorem coefficient q-1 mod p.
-版本是版本号,用于与本文档的未来版本兼容。此版本的文件应为0-模数是模数n-publicExponent是公共指数e-privateExponent是私有指数d-prime1是n的素因子p-prime2是n的素因子q-指数1是d模(p-1)-指数2是d模(q-1)-系数是中国剩余定理系数q-1 mod p。
This section defines object identifiers for the encryption and signature schemes. The schemes compatible with PKCS #1 v1.5 have the same definitions as in PKCS #1 v1.5. The intended application of these definitions includes X.509 certificates and PKCS #7.
本节定义了加密和签名方案的对象标识符。与PKCS#1 v1.5兼容的方案具有与PKCS#1 v1.5相同的定义。这些定义的预期应用包括X.509证书和PKCS#7。
The object identifier id-RSAES-OAEP identifies the RSAES-OAEP encryption scheme.
对象标识符id RSAES OAEP标识RSAES-OAEP加密方案。
id-RSAES-OAEP OBJECT IDENTIFIER ::= {pkcs-1 7}
id-RSAES-OAEP OBJECT IDENTIFIER ::= {pkcs-1 7}
The parameters field associated with this OID in an AlgorithmIdentifier shall have type RSAEP-OAEP-params:
算法标识符中与此OID相关的参数字段应具有RSAEP OAEP params类型:
RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier {{oaepDigestAlgorithms}} DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}} DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier {{pkcs1pSourceAlgorithms}} DEFAULT pSpecifiedEmptyIdentifier }
RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier {{oaepDigestAlgorithms}} DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier {{pkcs1MGFAlgorithms}} DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier {{pkcs1pSourceAlgorithms}} DEFAULT pSpecifiedEmptyIdentifier }
The fields of type RSAES-OAEP-params have the following meanings:
RSAES OAEP params类型的字段具有以下含义:
-hashFunc identifies the hash function. It shall be an algorithm ID with an OID in the set oaepDigestAlgorithms, which for this version shall consist of id-sha1, identifying the SHA-1 hash function. The parameters field for id-sha1 shall have type NULL.
-hashFunc标识哈希函数。它应该是一个在oaepDigestAlgorithms集合中带有OID的算法ID,对于这个版本,它应该由ID-sha1组成,标识SHA-1哈希函数。id-sha1的参数字段的类型应为NULL。
oaepDigestAlgorithms ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-sha1} }
oaepDigestAlgorithms ALGORITHM-IDENTIFIER ::= { {NULL IDENTIFIED BY id-sha1} }
id-sha1 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26}
id-sha1 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26}
The default hash function is SHA-1: sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL}
The default hash function is SHA-1: sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL}
-maskGenFunc identifies the mask generation function. It shall be an algorithm ID with an OID in the set pkcs1MGFAlgorithms, which for this version shall consist of id-mgf1, identifying the MGF1 mask generation function (see Section 10.2.1). The parameters field for
-maskGenFunc标识掩码生成函数。它应为pkcs1MGFAlgorithms集合中带有OID的算法ID,该版本应包括ID-mgf1,识别mgf1掩码生成功能(见第10.2.1节)。的参数字段
id-mgf1 shall have type AlgorithmIdentifier, identifying the hash function on which MGF1 is based, where the OID for the hash function shall be in the set oaepDigestAlgorithms.
id-mgf1应具有类型AlgorithmIdentifier,识别mgf1所基于的哈希函数,其中哈希函数的OID应在设置的OAEPF算法中。
pkcs1MGFAlgorithms ALGORITHM-IDENTIFIER ::= { {AlgorithmIdentifier {{oaepDigestAlgorithms}} IDENTIFIED BY id-mgf1} }
pkcs1MGFAlgorithms ALGORITHM-IDENTIFIER ::= { {AlgorithmIdentifier {{oaepDigestAlgorithms}} IDENTIFIED BY id-mgf1} }
id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8}
id-mgf1 OBJECT IDENTIFIER ::= {pkcs-1 8}
The default mask generation function is MGF1 with SHA-1:
默认遮罩生成功能为MGF1,带有SHA-1:
mgf1SHA1Identifier ::= AlgorithmIdentifier { id-mgf1, sha1Identifier }
mgf1SHA1Identifier ::= AlgorithmIdentifier { id-mgf1, sha1Identifier }
-pSourceFunc identifies the source (and possibly the value) of the encoding parameters P. It shall be an algorithm ID with an OID in the set pkcs1pSourceAlgorithms, which for this version shall consist of id-pSpecified, indicating that the encoding parameters are specified explicitly. The parameters field for id-pSpecified shall have type OCTET STRING, containing the encoding parameters.
-pSourceFunc标识编码参数P的源(可能还有值)。它应该是一个算法ID,在pkcs1pSourceAlgorithms集合中有一个OID,对于这个版本,它应该由ID PSSpecified组成,表明编码参数是明确指定的。指定id PSP的参数字段应具有八位字节字符串类型,包含编码参数。
pkcs1pSourceAlgorithms ALGORITHM-IDENTIFIER ::= { {OCTET STRING IDENTIFIED BY id-pSpecified} }
pkcs1pSourceAlgorithms ALGORITHM-IDENTIFIER ::= { {OCTET STRING IDENTIFIED BY id-pSpecified} }
id-pSpecified OBJECT IDENTIFIER ::= {pkcs-1 9}
id-pSpecified OBJECT IDENTIFIER ::= {pkcs-1 9}
The default encoding parameters is an empty string (so that pHash in EME-OAEP will contain the hash of the empty string):
默认编码参数为空字符串(因此EME-OAEP中的pHash将包含空字符串的哈希):
pSpecifiedEmptyIdentifier ::= AlgorithmIdentifier { id-pSpecified, OCTET STRING SIZE (0) }
pSpecifiedEmptyIdentifier ::= AlgorithmIdentifier { id-pSpecified, OCTET STRING SIZE (0) }
If all of the default values of the fields in RSAES-OAEP-params are used, then the algorithm identifier will have the following value:
如果使用了RSAES OAEP参数中字段的所有默认值,则算法标识符将具有以下值:
RSAES-OAEP-Default-Identifier ::= AlgorithmIdentifier { id-RSAES-OAEP, {sha1Identifier, mgf1SHA1Identifier, pSpecifiedEmptyIdentifier } }
RSAES-OAEP-Default-Identifier ::= AlgorithmIdentifier { id-RSAES-OAEP, {sha1Identifier, mgf1SHA1Identifier, pSpecifiedEmptyIdentifier } }
The object identifier rsaEncryption (Section 11.1) identifies the RSAES-PKCS1-v1_5 encryption scheme. The parameters field associated with this OID in an AlgorithmIdentifier shall have type NULL. This is the same as in PKCS #1 v1.5.
对象标识符RSAES加密(第11.1节)标识RSAES-PKCS1-v1_5加密方案。算法标识符中与此OID关联的参数字段的类型应为NULL。这与PKCS#1 v1.5中的相同。
RsaEncryption OBJECT IDENTIFIER ::= {PKCS-1 1}
RsaEncryption OBJECT IDENTIFIER ::= {PKCS-1 1}
The object identifier for RSASSA-PKCS1-v1_5 shall be one of the following. The choice of OID depends on the choice of hash algorithm: MD2, MD5 or SHA-1. Note that if either MD2 or MD5 is used then the OID is just as in PKCS #1 v1.5. For each OID, the parameters field associated with this OID in an AlgorithmIdentifier shall have type NULL.
RSASSA-PKCS1-v1_5的对象标识符应为以下之一。OID的选择取决于哈希算法的选择:MD2、MD5或SHA-1。请注意,如果使用MD2或MD5,则OID与PKCS#1 v1.5中的一样。对于每个OID,算法标识符中与此OID关联的参数字段的类型应为NULL。
If the hash function to be used is MD2, then the OID should be:
如果要使用的哈希函数是MD2,则OID应为:
md2WithRSAEncryption ::= {PKCS-1 2}
md2WithRSAEncryption ::= {PKCS-1 2}
If the hash function to be used is MD5, then the OID should be:
如果要使用的哈希函数是MD5,则OID应为:
md5WithRSAEncryption ::= {PKCS-1 4}
md5WithRSAEncryption ::= {PKCS-1 4}
If the hash function to be used is SHA-1, then the OID should be:
如果要使用的哈希函数为SHA-1,则OID应为:
sha1WithRSAEncryption ::= {pkcs-1 5}
sha1WithRSAEncryption ::= {pkcs-1 5}
In the digestInfo type mentioned in Section 9.2.1 the OIDS for the digest algorithm are the following:
在第9.2.1节中提到的digestInfo类型中,digest算法的OID如下所示:
id-SHA1 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 }
id-SHA1 OBJECT IDENTIFIER ::= {iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 }
md2 OBJECT IDENTIFIER ::= {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 2}
md2 OBJECT IDENTIFIER ::= {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 2}
md5 OBJECT IDENTIFIER ::= {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5}
md5 OBJECT IDENTIFIER ::= {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5}
The parameters field of the digest algorithm has ASN.1 type NULL for these OIDs.
摘要算法的参数字段对于这些OID具有ASN.1类型NULL。
The Internet Standards Process as defined in RFC 1310 requires a written statement from the Patent holder that a license will be made available to applicants under reasonable terms and conditions prior to approving a specification as a Proposed, Draft or Internet Standard.
RFC 1310中定义的互联网标准过程需要专利持有人的书面声明,即在批准作为提议、草案或互联网标准的规范之前,将根据合理的条款和条件向申请人提供许可证。
The Internet Society, Internet Architecture Board, Internet Engineering Steering Group and the Corporation for National Research Initiatives take no position on the validity or scope of the following patents and patent applications, nor on the appropriateness of the terms of the assurance. The Internet Society and other groups mentioned above have not made any determination as to any other intellectual property rights which may apply to the practice of this standard. Any further consideration of these matters is the user's responsibility.
互联网协会、互联网架构委员会、互联网工程指导小组和国家研究计划公司对以下专利和专利申请的有效性或范围,以及保证条款的适当性,不采取任何立场。互联网协会和上述其他团体尚未就可能适用于本标准实践的任何其他知识产权做出任何决定。用户有责任进一步考虑这些问题。
The Massachusetts Institute of Technology has granted RSA Data Security, Inc., exclusive sub-licensing rights to the following patent issued in the United States:
麻省理工学院授予RSA Data Security,Inc.在美国发布的以下专利的独家分许可权:
Cryptographic Communications System and Method ("RSA"), No. 4,405,829
密码通信系统和方法(“RSA”),第4405829号
RSA Data Security, Inc. has provided the following statement with regard to this patent:
RSA Data Security,Inc.就本专利提供了以下声明:
It is RSA's business practice to make licenses to its patents available on reasonable and nondiscriminatory terms. Accordingly, RSA is willing, upon request, to grant non-exclusive licenses to such patent on reasonable and non-discriminatory terms and conditions to those who respect RSA's intellectual property rights and subject to RSA's then current royalty rate for the patent licensed. The royalty rate for the RSA patent is presently set at 2% of the licensee's selling price for each product covered by the patent. Any requests for license information may be directed to:
RSA的商业惯例是以合理和非歧视性的条款提供其专利的许可证。因此,RSA愿意根据要求,按照合理和非歧视性的条款和条件,向尊重RSA知识产权的人授予此类专利的非排他性许可,并遵守RSA当时许可专利的使用费费率。RSA专利的特许权使用费费率目前设定为该专利涵盖的每种产品被许可方售价的2%。任何有关许可证信息的请求均可发送至:
Director of Licensing RSA Data Security, Inc. 2955 Campus Drive Suite 400 San Mateo, CA 94403
RSA Data Security,Inc.2955 Campus Drive Suite 400加利福尼亚州圣马特奥市授权总监,邮编94403
A license under RSA's patent(s) does not include any rights to know-how or other technical information or license under other intellectual property rights. Such license does not extend to any activities which constitute infringement or inducement thereto. A licensee must make his own determination as to whether a license is necessary under patents of others.
RSA专利下的许可不包括任何专有技术或其他技术信息的权利,也不包括其他知识产权下的许可。该许可证不适用于构成侵权或诱因的任何活动。被许可人必须自行决定他人专利是否需要许可。
Versions 1.0-1.3
版本1.0-1.3
Versions 1.0-1.3 were distributed to participants in RSA Data Security, Inc.'s Public-Key Cryptography Standards meetings in February and March 1991.
版本1.0-1.3于1991年2月和3月分发给RSA Data Security,Inc.公钥加密标准会议的与会者。
Version 1.4
版本1.4
Version 1.4 was part of the June 3, 1991 initial public release of PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-18.
版本1.4是1991年6月3日PKCS首次公开发布的一部分。版本1.4发布为NIST/OSI实施者研讨会文件SEC-SIG-91-18。
Version 1.5
版本1.5
Version 1.5 incorporates several editorial changes, including updates to the references and the addition of a revision history. The following substantive changes were made: -Section 10: "MD4 with RSA" signature and verification processes were added.
版本1.5包含了一些编辑性更改,包括对参考文件的更新和添加修订历史记录。进行了以下实质性更改:-增加了第10节:“MD4与RSA”签名和验证过程。
-Section 11: md4WithRSAEncryption object identifier was added.
-第11节:添加了MD4WithRSA加密对象标识符。
Version 2.0 [DRAFT]
2.0版[草案]
Version 2.0 incorporates major editorial changes in terms of the document structure, and introduces the RSAEP-OAEP encryption scheme. This version continues to support the encryption and signature processes in version 1.5, although the hash algorithm MD4 is no longer allowed due to cryptanalytic advances in the intervening years.
版本2.0包含了文档结构方面的主要编辑更改,并引入了RSAEP-OAEP加密方案。该版本继续支持1.5版中的加密和签名过程,尽管由于其间几年密码分析的进步,哈希算法MD4不再被允许。
[1] ANSI, ANSI X9.44: Key Management Using Reversible Public Key Cryptography for the Financial Services Industry. Work in Progress.
[1] ANSI,ANSI X9.44:金融服务行业使用可逆公钥加密的密钥管理。正在进行的工作。
[2] M. Bellare and P. Rogaway. Optimal Asymmetric Encryption - How to Encrypt with RSA. In Advances in Cryptology-Eurocrypt '94, pp. 92-111, Springer-Verlag, 1994.
[2] 贝拉尔先生和罗格威先生。最佳非对称加密-如何使用RSA加密。《欧洲密码术的进展》,94年,第92-111页,斯普林格·维拉格,1994年。
[3] M. Bellare and P. Rogaway. The Exact Security of Digital Signatures - How to Sign with RSA and Rabin. In Advances in Cryptology-Eurocrypt '96, pp. 399-416, Springer-Verlag, 1996.
[3] 贝拉尔先生和罗格威先生。数字签名的精确安全性-如何使用RSA和Rabin签名。《欧洲密码学进展》,96年,第399-416页,斯普林格·维拉格,1996年。
[4] D. Bleichenbacher. Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1. To appear in Advances in Cryptology-Crypto '98.
[4] D.布莱肯巴赫。针对基于RSA加密标准PKCS#1的协议的选择性密文攻击。出现在98年密码学的进展中。
[5] D. Bleichenbacher, B. Kaliski and J. Staddon. Recent Results on PKCS #1: RSA Encryption Standard. RSA Laboratories' Bulletin, Number 7, June 24, 1998.
[5] B.卡利斯基和J.斯塔顿。PKCS#1:RSA加密标准的最新结果。RSA实验室公报,第7期,1998年6月24日。
[6] CCITT. Recommendation X.509: The Directory-Authentication Framework. 1988.
[6] 赛特。建议X.509:目录认证框架。1988
[7] D. Coppersmith, M. Franklin, J. Patarin and M. Reiter. Low-Exponent RSA with Related Messages. In Advances in Cryptology-Eurocrypt '96, pp. 1-9, Springer-Verlag, 1996
[7] D.铜匠、M.富兰克林、J.帕塔林和M.雷特。具有相关消息的低指数RSA。《欧洲密码学进展》,1996年,第1-9页,斯普林格·维拉格,1996年
[8] B. Den Boer and Bosselaers. Collisions for the Compression Function of MD5. In Advances in Cryptology-Eurocrypt '93, pp 293-304, Springer-Verlag, 1994.
[8] B.登布尔和博塞莱尔。MD5压缩功能的冲突。《欧洲密码术的进展》,93年,第293-304页,斯普林格·维拉格,1994年。
[9] B. den Boer, and A. Bosselaers. An Attack on the Last Two Rounds of MD4. In Advances in Cryptology-Crypto '91, pp.194-203, Springer-Verlag, 1992.
[9] B.den Boer和A.Bosselaers。对MD4最后两轮的攻击。《密码学进展》,Crypto'91,第194-203页,Springer Verlag,1992年。
[10] H. Dobbertin. Cryptanalysis of MD4. Fast Software Encryption. Lecture Notes in Computer Science, Springer-Verlag 1996, pp. 55-72.
[10] 多伯丁。MD4的密码分析。快速软件加密。《计算机科学讲稿》,斯普林格·维拉格,1996年,第55-72页。
[11] H. Dobbertin. Cryptanalysis of MD5 Compress. Presented at the rump session of Eurocrypt `96, May 14, 1996
[11] 多伯丁。MD5压缩的密码分析。1996年5月14日在1996年欧洲密码组织的尾部会议上提出
[12] H. Dobbertin.The First Two Rounds of MD4 are Not One-Way. Fast Software Encryption. Lecture Notes in Computer Science, Springer-Verlag 1998, pp. 284-292.
[12] 前两轮MD4不是单向的。快速软件加密。《计算机科学课堂讲稿》,斯普林格·维拉格,1998年,第284-292页。
[13] J. Hastad. Solving Simultaneous Modular Equations of Low Degree. SIAM Journal of Computing, 17, 1988, pp. 336-341.
[13] 哈斯塔德。求解低阶联立模方程组。暹罗计算杂志,17,1988年,第336-341页。
[14] IEEE. IEEE P1363: Standard Specifications for Public Key Cryptography. Draft Version 4.
[14] IEEE。IEEE P1363:公钥加密的标准规范。草案第4版。
[15] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, April 1992.
[15] Kaliski,B.,“MD2消息摘要算法”,RFC 1319,1992年4月。
[16] National Institute of Standards and Technology (NIST). FIPS Publication 180-1: Secure Hash Standard. April 1994.
[16] 国家标准与技术研究所(NIST)。FIPS出版物180-1:安全哈希标准。1994年4月。
[17] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[17] Rivest,R.,“MD5消息摘要算法”,RFC1321,1992年4月。
[18] R. Rivest, A. Shamir and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM, 21(2), pp. 120-126, February 1978.
[18] R.Rivest、A.Shamir和L.Adleman。一种获取数字签名和公钥密码系统的方法。ACM的来文,21(2),第120-126页,1978年2月。
[19] N. Rogier and P. Chauvaud. The Compression Function of MD2 is not Collision Free. Presented at Selected Areas of Cryptography `95. Carleton University, Ottawa, Canada. May 18-19, 1995.
[19] 罗吉尔和乔沃。MD2的压缩功能不是无冲突的。在选定的密码学领域发表'95。加拿大渥太华卡尔顿大学。1995年5月18日至19日。
[20] RSA Laboratories. PKCS #1: RSA Encryption Standard. Version 1.5, November 1993.
[20] RSA实验室。PKCS#1:RSA加密标准。1.5版,1993年11月。
[21] RSA Laboratories. PKCS #7: Cryptographic Message Syntax Standard. Version 1.5, November 1993.
[21] RSA实验室。PKCS#7:加密消息语法标准。1.5版,1993年11月。
[22] RSA Laboratories. PKCS #8: Private-Key Information Syntax Standard. Version 1.2, November 1993.
[22] RSA实验室。PKCS#8:私钥信息语法标准。1.2版,1993年11月。
[23] RSA Laboratories. PKCS #12: Personal Information Exchange Syntax Standard. Version 1.0, Work in Progress, April 1997.
[23] RSA实验室。PKCS#12:个人信息交换语法标准。1.0版,在建工程,1997年4月。
Security Considerations
安全考虑
Security issues are discussed throughout this memo.
本备忘录中讨论了安全问题。
Acknowledgements
致谢
This document is based on a contribution of RSA Laboratories, a division of RSA Data Security, Inc. Any substantial use of the text from this document must acknowledge RSA Data Security, Inc. RSA Data Security, Inc. requests that all material mentioning or referencing this document identify this as "RSA Data Security, Inc. PKCS #1 v2.0".
本文档基于RSA Data Security,Inc.旗下RSA Laboratories的贡献。任何对本文档中文本的实质性使用都必须承认RSA Data Security,Inc.RSA Data Security,Inc.要求提及或引用本文档的所有材料将其标识为“RSA Data Security,Inc.PKCS#1 v2.0”。
Authors' Addresses
作者地址
Burt Kaliski RSA Laboratories East 20 Crosby Drive Bedford, MA 01730
Burt Kaliski RSA Laboratories East 20 Crosby Drive Bedford,马萨诸塞州01730
Phone: (617) 687-7000 EMail: burt@rsa.com
电话:(617)687-7000电子邮件:burt@rsa.com
Jessica Staddon RSA Laboratories West 2955 Campus Drive Suite 400 San Mateo, CA 94403
Jessica Staddon RSA Laboratories West 2955 Campus Drive Suite 400加利福尼亚州圣马特奥94403
Phone: (650) 295-7600 EMail: jstaddon@rsa.com
电话:(650)295-7600电子邮件:jstaddon@rsa.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。