Network Working Group J. Schaad Request for Comments: 4055 Soaring Hawk Consulting Updates: 3279 B. Kaliski Category: Standards Track RSA Laboratories R. Housley Vigil Security June 2005
Network Working Group J. Schaad Request for Comments: 4055 Soaring Hawk Consulting Updates: 3279 B. Kaliski Category: Standards Track RSA Laboratories R. Housley Vigil Security June 2005
Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
Internet X.509公钥基础结构证书和证书吊销列表(CRL)配置文件中使用的RSA加密的其他算法和标识符
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
This document supplements RFC 3279. It describes the conventions for using the RSA Probabilistic Signature Scheme (RSASSA-PSS) signature algorithm, the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm and additional one-way hash functions with the Public-Key Cryptography Standards (PKCS) #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI). Encoding formats, algorithm identifiers, and parameter formats are specified.
本文件是对RFC 3279的补充。它描述了使用RSA概率签名方案(RSASSA-PSS)签名算法、RSA加密方案-最优非对称加密填充(RSAES-OAEP)密钥传输算法和附加单向散列函数与公钥加密标准(PKCS)的约定#1 Internet X.509公钥基础设施(PKI)中的1.5版签名算法。指定编码格式、算法标识符和参数格式。
Table of Contents
目录
1. Introduction ....................................................2 1.1. Terminology ................................................3 1.2. RSA Public Keys ............................................3 2. Common Functions ................................................5 2.1. One-way Hash Functions .....................................5 2.2. Mask Generation Functions ..................................6 3. RSASSA-PSS Signature Algorithm ..................................7 3.1. RSASSA-PSS Public Keys .....................................8 3.2. RSASSA-PSS Signature Values ...............................10 3.3. RSASSA-PSS Signature Parameter Validation .................10 4. RSAES-OAEP Key Transport Algorithm .............................10 4.1. RSAES-OAEP Public Keys ....................................11 5. PKCS #1 Version 1.5 Signature Algorithm ........................13 6. ASN.1 Module ...................................................14 7. References .....................................................20 7.1. Normative References ......................................20 7.2. Informative References ....................................21 8. Security Considerations ........................................21 9. IANA Considerations ............................................24
1. Introduction ....................................................2 1.1. Terminology ................................................3 1.2. RSA Public Keys ............................................3 2. Common Functions ................................................5 2.1. One-way Hash Functions .....................................5 2.2. Mask Generation Functions ..................................6 3. RSASSA-PSS Signature Algorithm ..................................7 3.1. RSASSA-PSS Public Keys .....................................8 3.2. RSASSA-PSS Signature Values ...............................10 3.3. RSASSA-PSS Signature Parameter Validation .................10 4. RSAES-OAEP Key Transport Algorithm .............................10 4.1. RSAES-OAEP Public Keys ....................................11 5. PKCS #1 Version 1.5 Signature Algorithm ........................13 6. ASN.1 Module ...................................................14 7. References .....................................................20 7.1. Normative References ......................................20 7.2. Informative References ....................................21 8. Security Considerations ........................................21 9. IANA Considerations ............................................24
This document supplements RFC 3279 [PKALGS]. This document describes the conventions for using the RSASSA-PSS signature algorithm and the RSAES-OAEP key transport algorithm in the Internet X.509 Public Key Infrastructure (PKI) [PROFILE]. Both of these RSA-based algorithms are specified in [P1v2.1]. The algorithm identifiers and associated parameters for subject public keys that employ either of these algorithms, and the encoding format for RSASSA-PSS signatures are specified. Also, the algorithm identifiers for using the SHA-224, SHA-256, SHA-384, and SHA-512 one-way hash functions with the PKCS #1 version 1.5 signature algorithm [P1v1.5] are specified.
本文件补充RFC 3279[PKALGS]。本文档描述了在Internet X.509公钥基础设施(PKI)中使用RSASSA-PSS签名算法和RSAES-OAEP密钥传输算法的约定[PROFILE]。[P1v2.1]中规定了这两种基于RSA的算法。指定了采用上述任一算法的主题公钥的算法标识符和相关参数,以及RSASSA-PSS签名的编码格式。此外,还指定了用于将SHA-224、SHA-256、SHA-384和SHA-512单向散列函数与PKCS#1版本1.5签名算法[P1v1.5]一起使用的算法标识符。
This specification supplements RFC 3280 [PROFILE] which profiles the X.509 Certificates and Certificate Revocation Lists (CRLs) for use in the Internet. This specification extends the list of algorithms discussed in RFC 3279 [PKALGS]. The X.509 Certificate and CRL definitions use ASN.1 [X.208-88], the Basic Encoding Rules (BER) [X.209-88], and the Distinguished Encoding Rules (DER) [X.509-88].
本规范补充了RFC 3280[PROFILE],RFC 3280[PROFILE]对Internet中使用的X.509证书和证书撤销列表(CRL)进行了配置。本规范扩展了RFC 3279[PKALGS]中讨论的算法列表。X.509证书和CRL定义使用ASN.1[X.208-88]、基本编码规则(BER)[X.209-88]和可分辨编码规则(DER)[X.509-88]。
This specification defines the contents of the signatureAlgorithm, signatureValue, signature, and subjectPublicKeyInfo fields within Internet X.509 Certificates and CRLs. For each algorithm, the appropriate alternatives for the keyUsage certificate extension are provided.
本规范定义了Internet X.509证书和CRL中signatureAlgorithm、signatureValue、signature和subjectPublicKeyInfo字段的内容。对于每种算法,都提供了密钥使用证书扩展的适当替代方案。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [STDWORDS].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[STDWORDS]中所述进行解释。
RFC 3280 [PROFILE] specifies the profile for using X.509 Certificates in Internet applications. When an RSA public key is used for RSASSA-PSS digital signatures or RSAES-OAEP key transport, the conventions specified in this section augment RFC 3280.
RFC 3280[PROFILE]指定在Internet应用程序中使用X.509证书的配置文件。当RSA公钥用于RSASSA-PSS数字签名或RSAES-OAEP密钥传输时,本节中规定的约定将增强RFC 3280。
Traditionally, the rsaEncryption object identifier is used to identify RSA public keys. However, to implement all of the recommendations described in Security Considerations (Section 8), the certificate user needs to be able to determine the form of digital signature or key transport that the RSA private key owner associates with the public key.
传统上,RSA加密对象标识符用于识别RSA公钥。但是,要实现安全注意事项(第8节)中描述的所有建议,证书用户需要能够确定RSA私钥所有者与公钥关联的数字签名或密钥传输形式。
The rsaEncryption object identifier continues to identify the subject public key when the RSA private key owner does not wish to limit the use of the public key exclusively to either RSASSA-PSS or RSAES-OAEP. In this case, the rsaEncryption object identifier MUST be used in the algorithm field within the subject public key information, and the parameters field MUST contain NULL.
当RSA私钥所有者不希望将公钥的使用仅限于RSASSA-PSS或RSAES-OAEP时,RSAEncyption对象标识符将继续标识主题公钥。在这种情况下,必须在主题公钥信息中的算法字段中使用RSA加密对象标识符,并且参数字段必须包含NULL。
rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
Further discussion of the conventions associated with use of the rsaEncryption object identifier can be found in RFC 3279 (see [PKALGS], Section 2.3.1).
RFC 3279(参见[PKALGS],第2.3.1节)中对使用RSA加密对象标识符相关约定的进一步讨论。
When the RSA private key owner wishes to limit the use of the public key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object identifier MUST be used in the algorithm field within the subject public key information, and, if present, the parameters field MUST contain RSASSA-PSS-params. The id-RSASSA-PSS object identifier value and the RSASSA-PSS-params syntax are fully described in Section 3.
当RSA私钥所有者希望将公钥的使用仅限于RSASSA-PSS时,则必须在主题公钥信息的算法字段中使用id RSASSA PSS对象标识符,如果存在,参数字段必须包含RSASSA PSS参数。id RSASSA PSS对象标识符值和RSASSA PSS参数语法在第3节中有详细描述。
When the RSA private key owner wishes to limit the use of the public key exclusively to RSAES-OAEP, then the id-RSAES-OAEP object identifier MUST be used in the algorithm field within the subject public key information, and, if present, the parameters field MUST contain RSAES-OAEP-params. The id-RSAES-OAEP object identifier value and the RSAES-OAEP-params syntax are fully described in Section 4.
当RSA私钥所有者希望将公钥的使用仅限于RSAES-OAEP时,则必须在主题公钥信息的算法字段中使用id RSAES OAEP对象标识符,如果存在,参数字段必须包含RSAES OAEP参数。第4节详细介绍了id RSAES OAEP对象标识符值和RSAES OAEP参数语法。
Note: It is not possible to restrict the use of a key to a set of algorithms (i.e., RSASSA-PSS and RSAES-OAEP).
注:不可能将密钥的使用限制为一组算法(即RSASSA-PSS和RSAES-OAEP)。
Regardless of the object identifier used, the RSA public key is encoded in the same manner in the subject public key information. The RSA public key MUST be encoded using the type RSAPublicKey type:
不管所使用的对象标识符是什么,RSA公钥在主体公钥信息中的编码方式都是相同的。RSA公钥必须使用RSAPublicKey类型进行编码:
RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER } -- e
RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER } -- e
Here, the modulus is the modulus n, and publicExponent is the public exponent e. The DER encoded RSAPublicKey is carried in the subjectPublicKey BIT STRING within the subject public key information.
这里,模数是模数n,公共指数是公共指数e。DER编码的RSAPPublicKey携带在主题公钥信息内的主题公钥位字符串中。
The intended application for the key MAY be indicated in the keyUsage certificate extension (see [PROFILE], Section 4.2.1.3).
密钥的预期用途可在密钥使用证书扩展中说明(见[配置文件],第4.2.1.3节)。
If the keyUsage extension is present in an end-entity certificate that conveys an RSA public key with the id-RSASSA-PSS object identifier, then the keyUsage extension MUST contain one or both of the following values:
如果keyUsage扩展存在于传送id为RSASSA PSS对象标识符的RSA公钥的最终实体证书中,则keyUsage扩展必须包含以下一个或两个值:
nonRepudiation; and digitalSignature.
不否认;和数字签名。
If the keyUsage extension is present in a certification authority certificate that conveys an RSA public key with the id-RSASSA-PSS object identifier, then the keyUsage extension MUST contain one or more of the following values:
如果在传递id为RSASSA PSS对象标识符的RSA公钥的证书颁发机构证书中存在keyUsage扩展,则keyUsage扩展必须包含以下一个或多个值:
nonRepudiation; digitalSignature; keyCertSign; and cRLSign.
nonRepudiation; digitalSignature; keyCertSign; and cRLSign.
When a certificate conveys an RSA public key with the id-RSASSA-PSS object identifier, the certificate user MUST only use the certified RSA public key for RSASSA-PSS operations, and, if RSASSA-PSS-params is present, the certificate user MUST perform those operations using the one-way hash function, mask generation function, and trailer field identified in the subject public key algorithm identifier parameters within the certificate.
当证书传递id为RSASSA PSS对象标识符的RSA公钥时,证书用户必须仅将经认证的RSA公钥用于RSASSA-PSS操作,并且,如果存在RSASSA PSS参数,则证书用户必须使用单向哈希函数、掩码生成函数、,以及在证书内的主体公钥算法标识符参数中标识的尾部字段。
If the keyUsage extension is present in a certificate conveys an RSA public key with the id-RSAES-OAEP object identifier, then the keyUsage extension MUST contain only the following values:
如果证书中存在keyUsage扩展名,该扩展名传递具有id RSAES OAEP对象标识符的RSA公钥,则keyUsage扩展名必须仅包含以下值:
keyEncipherment; and dataEncipherment.
密钥加密;和数据加密。
However, both keyEncipherment and dataEncipherment SHOULD NOT be present.
但是,密钥加密和数据加密都不应该存在。
When a certificate that conveys an RSA public key with the id-RSAES-OAEP object identifier, the certificate user MUST only use the certified RSA public key for RSAES-OAEP operations, and, if RSAES-OAEP-params is present, the certificate user MUST perform those operations using the one-way hash function and mask generation function identified in the subject public key algorithm identifier parameters within the certificate.
当证书传送id为RSAES OAEP对象标识符的RSA公钥时,证书用户必须仅将经认证的RSA公钥用于RSAES-OAEP操作,如果存在RSAES OAEP参数,证书用户必须使用单向哈希函数和掩码生成函数执行这些操作,该函数在证书中的主题公钥算法标识符参数中标识。
The RSASSA-PSS signature and the RSAES-OAEP key transport algorithms make use of one-way hash functions and mask generation functions.
RSASSA-PSS签名和RSAES-OAEP密钥传输算法使用单向散列函数和掩码生成函数。
PKCS #1 version 2.1 [P1v2.1] supports four one-way hash functions for use with the RSASSA-PSS signature algorithm and the RSAES-OAEP key transport algorithm: SHA-1, SHA-256, SHA-384, and SHA-512 [SHA2]. This document adds support for SHA-224 [SHA-224] with both the RSASSA-PSS and the RSAES-OAEP algorithms. While support for additional one-way hash functions could be added in the future, no other one-way hash functions are supported by this specification.
PKCS#1版本2.1[P1v2.1]支持四个单向散列函数,用于RSASSA-PSS签名算法和RSAES-OAEP密钥传输算法:SHA-1、SHA-256、SHA-384和SHA-512[SHA2]。本文档添加了对SHA-224[SHA-224]以及RSASSA-PSS和RSAES-OAEP算法的支持。虽然将来可以添加对其他单向散列函数的支持,但本规范不支持其他单向散列函数。
These one-way hash functions are identified by the following object identifiers:
这些单向散列函数由以下对象标识符标识:
id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 } id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 }
id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 }
There are two possible encodings for the AlgorithmIdentifier parameters field associated with these object identifiers. The two alternatives arise from the loss of the OPTIONAL associated with the algorithm identifier parameters when the 1988 syntax for AlgorithmIdentifier was translated into the 1997 syntax. Later the OPTIONAL was recovered via a defect report, but by then many people thought that algorithm parameters were mandatory. Because of this history some implementations encode parameters as a NULL element while others omit them entirely. The correct encoding is to omit the parameters field; however, when RSASSA-PSS and RSAES-OAEP were defined, it was done using the NULL parameters rather than absent parameters.
与这些对象标识符关联的AlgorithmIdentifier parameters字段有两种可能的编码。当1988年的AlgorithmIdentifier语法被翻译成1997年的语法时,与算法标识符参数相关的可选参数丢失,这两种选择产生了。后来通过缺陷报告恢复了可选的,但那时许多人认为算法参数是强制性的。由于这种历史,一些实现将参数编码为空元素,而另一些实现则完全忽略它们。正确的编码是省略参数字段;但是,在定义RSASSA-PSS和RSAES-OAEP时,使用空参数而不是缺少的参数来完成。
All implementations MUST accept both NULL and absent parameters as legal and equivalent encodings.
所有实现都必须接受NULL和缺席参数作为合法和等效的编码。
To be clear, the following algorithm identifiers are used when a NULL parameter MUST be present:
为了清楚起见,当必须存在空参数时,将使用以下算法标识符:
sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL } sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL } sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL } sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL } sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL } sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL } sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL } sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL } sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
One mask generation function is used with the RSASSA-PSS signature algorithm and the RSAES-OAEP key transport algorithm: MGF1 [P1v2.1]. No other mask generation functions are supported by this specification.
一个掩码生成函数用于RSASSA-PSS签名算法和RSAES-OAEP密钥传输算法:MGF1[P1v2.1]。本规范不支持其他掩码生成功能。
MGF1 is identified by the following object identifier:
MGF1由以下对象标识符标识:
id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 }
id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 }
The parameters field associated with id-mgf1 MUST have a hashAlgorithm value which identifies the hash function being used with MGF1. This value MUST be sha1Identifier, sha224Identifier, sha256Identifier, sha384Identifier, or sha512Identifier, as specified in Section 2.1. Implementations MUST support the default value, sha1Identifier, and MAY support the other four values.
与id-mgf1关联的参数字段必须具有一个hashAlgorithm值,该值标识与mgf1一起使用的哈希函数。按照第2.1节的规定,该值必须为SHA1标识符、SH224标识符、SHA256标识符、SH384标识符或SH512标识符。实现必须支持默认值sha1Identifier,并且可能支持其他四个值。
The following algorithm identifiers have been assigned for each of these alternatives:
已为每个备选方案分配了以下算法标识符:
mgf1SHA1Identifier AlgorithmIdentifier ::= { id-mgf1, sha1Identifier } mgf1SHA224Identifier AlgorithmIdentifier ::= { id-mgf1, sha224Identifier } mgf1SHA256Identifier AlgorithmIdentifier ::= { id-mgf1, sha256Identifier } mgf1SHA384Identifier AlgorithmIdentifier ::= { id-mgf1, sha384Identifier } mgf1SHA512Identifier AlgorithmIdentifier ::= { id-mgf1, sha512Identifier }
mgf1SHA1Identifier AlgorithmIdentifier ::= { id-mgf1, sha1Identifier } mgf1SHA224Identifier AlgorithmIdentifier ::= { id-mgf1, sha224Identifier } mgf1SHA256Identifier AlgorithmIdentifier ::= { id-mgf1, sha256Identifier } mgf1SHA384Identifier AlgorithmIdentifier ::= { id-mgf1, sha384Identifier } mgf1SHA512Identifier AlgorithmIdentifier ::= { id-mgf1, sha512Identifier }
This section describes the conventions for using the RSASSA-PSS signature algorithm with the Internet X.509 Certificate and CRL profile [PROFILE]. The RSASSA-PSS signature algorithm is specified in PKCS #1 version 2.1 [P1v2.1]. The five one-way hash functions discussed in Section 2.1 and the one mask generation function discussed in Section 2.2 can be used with RSASSA-PSS.
本节介绍在Internet X.509证书和CRL配置文件[profile]中使用RSASSA-PSS签名算法的约定。RSASSA-PSS签名算法在PKCS#1 2.1版[P1v2.1]中有规定。第2.1节中讨论的五个单向散列函数和第2.2节中讨论的一个掩码生成函数可用于RSASSA-PSS。
CAs that issue certificates with the id-RSASSA-PSS algorithm identifier SHOULD require the presence of parameters in the publicKeyAlgorithms field if the cA boolean flag is set in the basic constraints certificate extension. CAs MAY require that the parameters be present in the publicKeyAlgorithms field for end-entity certificates.
如果在基本约束证书扩展中设置了cA布尔标志,则颁发id为RSASSA PSS算法标识符的证书的cA应要求publicKeyAlgorithms字段中存在参数。CAs可能要求终端实体证书的publicKeyAlgorithms字段中存在参数。
CAs that use the RSASSA-PSS algorithm for signing certificates SHOULD include RSASSA-PSS-params in the subjectPublicKeyInfo algorithm parameters in their own certificates. CAs that use the RSASSA-PSS algorithm for signing certificates or CRLs MUST include RSASSA-PSS-params in the signatureAlgorithm parameters in the TBSCertificate or TBSCertList structures.
使用RSASSA-PSS算法对证书进行签名的CA应在其自己的证书中的subjectPublicKeyInfo算法参数中包含RSASSA PSS参数。使用RSASSA-PSS算法对证书或CRL进行签名的CA必须在TBSCertificate或TBSCertList结构的signatureAlgorithm参数中包含RSASSA PSS参数。
Entities that validate RSASSA-PSS signatures MUST support SHA-1. They MAY also support any other one-way hash functions in Section 2.1.
验证RSASSA-PSS签名的实体必须支持SHA-1。它们还可以支持第2.1节中的任何其他单向散列函数。
The data to be signed (e.g., the one-way hash function output value) is formatted for the signature algorithm to be used. Then, a private key operation (e.g., RSA decryption) is performed to generate the signature value. This signature value is then ASN.1 encoded as a BIT STRING and included in the Certificate or CertificateList in the signatureValue field. Section 3.2 specifies the format of RSASSA-PSS signature values.
将要签名的数据(例如,单向散列函数输出值)格式化为要使用的签名算法。然后,执行私钥操作(例如,RSA解密)以生成签名值。然后将该签名值作为位字符串进行ASN.1编码,并包含在signatureValue字段中的证书或CertificateList中。第3.2节规定了RSASSA-PSS签名值的格式。
When RSASSA-PSS is used in an AlgorithmIdentifier, the parameters MUST employ the RSASSA-PSS-params syntax. The parameters may be either absent or present when used as subject public key information. The parameters MUST be present when used in the algorithm identifier associated with a signature value.
在算法标识符中使用RSASSA-PSS时,参数必须采用RSASSA PSS params语法。当用作主体公钥信息时,参数可能不存在或存在。在与签名值关联的算法标识符中使用时,参数必须存在。
When signing, it is RECOMMENDED that the parameters, except for possibly saltLength, remain fixed for all usages of a given RSA key pair.
签名时,建议在给定RSA密钥对的所有用途中,参数(可能的saltLength除外)保持固定。
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
RSASSA-PSS-params ::= SEQUENCE { hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, saltLength [2] INTEGER DEFAULT 20, trailerField [3] INTEGER DEFAULT 1 }
RSASSA-PSS-params ::= SEQUENCE { hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, saltLength [2] INTEGER DEFAULT 20, trailerField [3] INTEGER DEFAULT 1 }
The fields of type RSASSA-PSS-params have the following meanings:
RSASSA PSS params类型的字段具有以下含义:
hashAlgorithm
哈希算法
The hashAlgorithm field identifies the hash function. It MUST be one of the algorithm identifiers listed in Section 2.1, and the default hash function is SHA-1. Implementations MUST support SHA-1 and MAY support any of the other one-way hash functions listed in Section 2.1. Implementations that perform signature generation MUST omit the hashAlgorithm field when SHA-1 is used, indicating that the default algorithm was used. Implementations that perform signature validation MUST recognize both the sha1Identifier algorithm identifier and an absent hashAlgorithm field as an indication that SHA-1 was used.
hashAlgorithm字段标识哈希函数。它必须是第2.1节中列出的算法标识符之一,默认哈希函数为SHA-1。实现必须支持SHA-1,并且可以支持第2.1节中列出的任何其他单向散列函数。当使用SHA-1时,执行签名生成的实现必须省略hashAlgorithm字段,这表明使用了默认算法。执行签名验证的实现必须将sha1Identifier算法标识符和缺少的hashAlgorithm字段识别为使用SHA-1的指示。
maskGenAlgorithm
伪装算法
The maskGenAlgorithm field identifies the mask generation function. The default mask generation function is MGF1 with SHA-1. For MGF1, it is strongly RECOMMENDED that the underlying hash function be the same as the one identified by hashAlgorithm. Implementations MUST support MGF1. MGF1 requires a one-way hash function that is identified in the parameters field of the MGF1 algorithm identifier. Implementations MUST support SHA-1 and MAY support any of the
maskGenAlgorithm字段标识掩码生成函数。默认的遮罩生成功能是MGF1和SHA-1。对于MGF1,强烈建议底层哈希函数与hashAlgorithm识别的函数相同。实现必须支持MGF1。MGF1需要在MGF1算法标识符的参数字段中标识的单向哈希函数。实现必须支持SHA-1,并且可以支持以下任何一种
other one-way hash functions listed in section Section 2.1. The MGF1 algorithm identifier is comprised of the id-mgf1 object identifier and a parameter that contains the algorithm identifier of the one-way hash function employed with MGF1. The SHA-1 algorithm identifier is comprised of the id-sha1 object identifier and an (optional) parameter of NULL. Implementations that perform signature generation MUST omit the maskGenAlgorithm field when MGF1 with SHA-1 is used, indicating that the default algorithm was used.
第2.1节中列出的其他单向散列函数。MGF1算法标识符由id-MGF1对象标识符和包含MGF1使用的单向哈希函数的算法标识符的参数组成。SHA-1算法标识符由id-sha1对象标识符和NULL(可选)参数组成。使用带有SHA-1的MGF1时,执行签名生成的实现必须省略maskGenAlgorithm字段,这表明使用了默认算法。
Although mfg1SHA1Identifier is defined as the default value for this field, implementations MUST accept both the default value encoding (i.e., an absent field) and mfg1SHA1Identifier to be explicitly present in the encoding.
尽管mfg1SHA1Identifier被定义为此字段的默认值,但实现必须同时接受默认值编码(即缺少字段)和mfg1SHA1Identifier,以便在编码中显式显示。
saltLength
盐长
The saltLength field is the octet length of the salt. For a given hashAlgorithm, the recommended value of saltLength is the number of octets in the hash value. Unlike the other fields of type RSASSA-PSS-params, saltLength does not need to be fixed for a given RSA key pair; a different value could be used for each RSASSA-PSS signature generated.
saltLength字段是盐的八位字节长度。对于给定的哈希算法,建议的saltLength值是哈希值中的八位字节数。与RSASSA PSS params类型的其他字段不同,对于给定的RSA密钥对,saltLength不需要固定;生成的每个RSASSA-PSS签名可以使用不同的值。
trailerField
特雷尔菲尔德
The trailerField field is an integer. It provides compatibility with IEEE Std 1363a-2004 [P1363A]. The value MUST be 1, which represents the trailer field with hexadecimal value 0xBC. Other trailer fields, including the trailer field composed of HashID concatenated with 0xCC that is specified in IEEE Std 1363a, are not supported. Implementations that perform signature generation MUST omit the trailerField field, indicating that the default trailer field value was used. Implementations that perform signature validation MUST recognize both a present trailerField field with value 1 and an absent trailerField field.
trailerField字段是一个整数。它与IEEE标准1363a-2004[P1363A]兼容。该值必须为1,表示具有十六进制值0xBC的拖车字段。不支持其他尾部字段,包括由HashID与IEEE Std 1363a中指定的0xCC连接而成的尾部字段。执行签名生成的实现必须省略trailerField字段,这表示使用了默认的trailerField值。执行签名验证的实现必须同时识别值为1的当前trailerField字段和不存在的trailerField字段。
If the default values of the hashAlgorithm, maskGenAlgorithm, and trailerField fields of RSASSA-PSS-params are used, then the algorithm identifier will have the following value:
如果使用RSASSA PSS参数的hashAlgorithm、MaskgEnableAlgorithm和trailerField字段的默认值,则算法标识符将具有以下值:
rSASSA-PSS-Default-Identifier AlgorithmIdentifier ::= { id-RSASSA-PSS, rSASSA-PSS-Default-Params }
rSASSA-PSS-Default-Identifier AlgorithmIdentifier ::= { id-RSASSA-PSS, rSASSA-PSS-Default-Params }
rSASSA-PSS-Default-Params RSASSA-PSS-Params ::= { sha1Identifier, mgf1SHA1Identifier, 20, 1}
rSASSA-PSS-Default-Params RSASSA-PSS-Params ::= { sha1Identifier, mgf1SHA1Identifier, 20, 1}
The output of the RSASSA-PSS signature algorithm is an octet string, which has the same length in octets as the RSA modulus n.
RSASSA-PSS签名算法的输出是一个八位字节字符串,其长度(以八位字节为单位)与RSA模n相同。
Signature values in CMS [CMS] are represented as octet strings, and the output is used directly. However, signature values in certificates and CRLs [PROFILE] are represented as bit strings, and conversion is needed.
CMS[CMS]中的签名值表示为八位字节字符串,并且直接使用输出。但是,证书和CRL[PROFILE]中的签名值表示为位字符串,需要进行转换。
To convert a signature value to a bit string, the most significant bit of the first octet of the signature value SHALL become the first bit of the bit string, and so on through the least significant bit of the last octet of the signature value, which SHALL become the last bit of the bit string.
若要将签名值转换为位字符串,签名值的第一个八位字节的最高有效位应成为位字符串的第一位,依此类推,直至签名值的最后一个八位字节的最低有效位成为位字符串的最后一位。
Three possible parameter validation scenarios exist for RSASSA-PSS signature values.
RSASSA-PSS特征值存在三种可能的参数验证方案。
1. The key is identified by the rsaEncryption algorithm identifier. In this case no parameter validation is needed.
1. 密钥由RSA加密算法标识符标识。在这种情况下,不需要参数验证。
2. The key is identified by the id-RSASSA-PSS signature algorithm identifier, but the parameters field is absent. In this case no parameter validation is needed.
2. 密钥由id RSASSA PSS签名算法标识符标识,但缺少参数字段。在这种情况下,不需要参数验证。
3. The key is identified by the id-RSASSA-PSS signature algorithm identifier and the parameters are present. In this case all parameters in the signature structure algorithm identifier MUST match the parameters in the key structure algorithm identifier except the saltLength field. The saltLength field in the signature parameters MUST be greater or equal to that in the key parameters field.
3. 密钥由id-RSASSA-PSS签名算法标识符识别,参数存在。在这种情况下,签名结构算法标识符中的所有参数必须与密钥结构算法标识符中的参数匹配,saltLength字段除外。签名参数中的saltLength字段必须大于或等于key parameters字段中的saltLength字段。
This section describes the conventions for using the RSAES-OAEP key transport algorithm with the Internet X.509 Certificate and CRL profile [PROFILE]. RSAES-OAEP is specified in PKCS #1 version 2.1 [P1v2.1]. The five one-way hash functions discussed in Section 2.1 and the one mask generation function discussed in Section 2.2 can be used with RSAES-OAEP. Conforming CAs and applications MUST support RSAES-OAEP key transport algorithm using SHA-1. The other four one-way hash functions MAY also be supported.
本节介绍在Internet X.509证书和CRL配置文件[profile]中使用RSAES-OAEP密钥传输算法的约定。RSAES-OAEP在PKCS#1 2.1版[P1v2.1]中有规定。第2.1节中讨论的五个单向散列函数和第2.2节中讨论的一个掩码生成函数可用于RSAES-OAEP。一致性CA和应用程序必须支持使用SHA-1的RSAES-OAEP密钥传输算法。还可以支持其他四个单向散列函数。
CAs that issue certificates with the id-RSAES-OAEP algorithm identifier SHOULD require the presence of parameters in the publicKeyAlgorithms field for all certificates. Entities that use a certificate with a publicKeyAlgorithm value of id-RSA-OAEP where the parameters are absent SHOULD use the default set of parameters for RSAES-OAEP-params. Entities that use a certificate with a publicKeyAlgorithm value of rsaEncryption SHOULD use the default set of parameters for RSAES-OAEP-params.
颁发id为RSAES OAEP算法标识符的证书的CA应要求在publicKeyAlgorithms字段中为所有证书提供参数。在缺少参数的情况下,使用公钥算法值id为RSA OAEP的证书的实体应使用RSAES OAEP参数的默认参数集。使用publicKeyAlgorithm值为RSAEP Encryption的证书的实体应使用RSAES OAEP参数的默认参数集。
When id-RSAES-OAEP is used in an AlgorithmIdentifier, the parameters MUST employ the RSAES-OAEP-params syntax. The parameters may be either absent or present when used as subject public key information. The parameters MUST be present when used in the algorithm identifier associated with an encrypted value.
在算法标识符中使用id RSAES OAEP时,参数必须采用RSAES OAEP参数语法。当用作主体公钥信息时,参数可能不存在或存在。在与加密值关联的算法标识符中使用时,参数必须存在。
id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier DEFAULT pSpecifiedEmptyIdentifier }
RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier DEFAULT pSpecifiedEmptyIdentifier }
pSpecifiedEmptyIdentifier AlgorithmIdentifier ::= { id-pSpecified, nullOctetString }
pSpecifiedEmptyIdentifier AlgorithmIdentifier ::= { id-pSpecified, nullOctetString }
nullOctetString OCTET STRING (SIZE (0)) ::= { ''H }
nullOctetString OCTET STRING (SIZE (0)) ::= { ''H }
The fields of type RSAES-OAEP-params have the following meanings:
RSAES OAEP params类型的字段具有以下含义:
hashFunc
哈什芬克
The hashFunc field identifies the one-way hash function. It MUST be one of the algorithm identifiers listed in Section 2.1, and the default hash function is SHA-1. Implementations MUST support SHA-1 and MAY support other one-way hash functions listed in Section 2.1. Implementations that perform encryption MUST omit the hashFunc field when SHA-1 is used, indicating that the default algorithm was used. Implementations that perform decryption MUST recognize both the sha1Identifier algorithm identifier and an absent hashFunc field as an indication that SHA-1 was used.
hashFunc字段标识单向哈希函数。它必须是第2.1节中列出的算法标识符之一,默认哈希函数为SHA-1。实现必须支持SHA-1,并且可能支持第2.1节中列出的其他单向散列函数。使用SHA-1时,执行加密的实现必须省略hashFunc字段,这表示使用了默认算法。执行解密的实现必须将sha1Identifier算法标识符和缺少的hashFunc字段识别为使用SHA-1的指示。
maskGenFunc
maskGenFunc
The maskGenFunc field identifies the mask generation function. The default mask generation function is MGF1 with SHA-1. For MGF1, it is strongly RECOMMENDED that the underlying hash function be the same as the one identified by hashFunc. Implementations MUST support MGF1. MGF1 requires a one-way hash function that is identified in the parameter field of the MGF1 algorithm identifier. Implementations MUST support SHA-1 and MAY support any of the other one-way hash functions listed in Section 2.1. The MGF1 algorithm identifier is comprised of the id-mgf1 object identifier and a parameter that contains the algorithm identifier of the one-way hash function employed with MGF1. The SHA-1 algorithm identifier is comprised of the id-sha1 object identifier and an (optional) parameter of NULL. Implementations that perform encryption MUST omit the maskGenFunc field when MGF1 with SHA-1 is used, indicating that the default algorithm was used.
maskGenFunc字段标识掩码生成函数。默认的遮罩生成功能是MGF1和SHA-1。对于MGF1,强烈建议底层哈希函数与hashFunc标识的哈希函数相同。实现必须支持MGF1。MGF1需要在MGF1算法标识符的参数字段中标识的单向哈希函数。实现必须支持SHA-1,并且可以支持第2.1节中列出的任何其他单向散列函数。MGF1算法标识符由id-MGF1对象标识符和包含MGF1使用的单向哈希函数的算法标识符的参数组成。SHA-1算法标识符由id-sha1对象标识符和NULL(可选)参数组成。使用带有SHA-1的MGF1时,执行加密的实现必须省略maskGenFunc字段,这表明使用了默认算法。
Although mfg1SHA1Identifier is defined as the default value for this field, implementations MUST accept both the default value encoding (i.e., an absent field) and the mfg1SHA1Identifier to be explicitly present in the encoding.
尽管mfg1SHA1Identifier被定义为此字段的默认值,但实现必须接受默认值编码(即,缺少字段)和mfg1SHA1Identifier,以明确显示在编码中。
pSourceFunc
pSourceFunc
The pSourceFunc field identifies the source (and possibly the value) of the encoding parameters, commonly called P. Implementations MUST represent P by an algorithm identifier, id-pSpecified, indicating that P is explicitly provided as an OCTET STRING in the parameters. The default value for P is an empty string. In this case, pHash in EME-OAEP contains the hash of a zero length string. Implementations MUST support a zero length P value. Implementations that perform encryption MUST omit the pSourceFunc field when a zero length P value is used, indicating that the default value was used. Implementations that perform decryption MUST recognize both the id-pSpecified object identifier and an absent pSourceFunc field as an indication that a zero length P value was used. Implementations that perform decryption MUST support a zero length P value and MAY support other values. Compliant implementations MUST NOT use any value other than id-pSpecified for pSourceFunc.
pSourceFunc字段标识编码参数的源(可能还有值),通常称为P。实现必须通过算法标识符id PSSpecified表示P,表明P在参数中显式提供为八位字节字符串。P的默认值是空字符串。在这种情况下,EME-OAEP中的pHash包含零长度字符串的哈希。实现必须支持长度为零的P值。当使用零长度P值时,执行加密的实现必须省略pSourceFunc字段,这表示使用了默认值。执行解密的实现必须将id pSpecified对象标识符和缺少的pSourceFunc字段识别为使用了零长度P值的指示。执行解密的实现必须支持长度为零的P值,并且可能支持其他值。兼容实现不得使用除为pSourceFunc指定的id PSP以外的任何值。
If the default values of the hashFunc, maskGenFunc, and pSourceFunc fields of RSAES-OAEP-params are used, then the algorithm identifier will have the following value:
如果使用RSAES OAEP参数的hashFunc、maskGenFunc和pSourceFunc字段的默认值,则算法标识符将具有以下值:
rSAES-OAEP-Default-Identifier AlgorithmIdentifier ::= { id-RSAES-OAEP, rSAES-OAEP-Default-Params }
rSAES-OAEP-Default-Identifier AlgorithmIdentifier ::= { id-RSAES-OAEP, rSAES-OAEP-Default-Params }
rSAES-OAEP-Default-Params RSASSA-OAEP-params ::= { sha1Identifier, mgf1SHA1Identifier, pSpecifiedEmptyIdentifier }
rSAES-OAEP-Default-Params RSASSA-OAEP-params ::= { sha1Identifier, mgf1SHA1Identifier, pSpecifiedEmptyIdentifier }
RFC 2313 [P1v1.5] specifies the PKCS #1 Version 1.5 signature algorithm. This specification is also included in PKCS #1 Version 2.1 [P1v2.1]. RFC 3279 [PKALGS] specifies the use of the PKCS #1 Version 1.5 signature algorithm with the MD2, MD5, and the SHA-1 one-way hash functions. This section specifies the algorithm identifiers for using the SHA-224, SHA-256, SHA-384, and SHA-512 one-way hash functions with the PKCS #1 version 1.5 signature algorithm.
RFC 2313[P1v1.5]指定了PKCS#1版本1.5签名算法。本规范也包含在PKCS#1版本2.1[P1v2.1]中。RFC 3279[PKALGS]指定了PKCS#1 1.5版签名算法与MD2、MD5和SHA-1单向散列函数的使用。本节规定了将SHA-224、SHA-256、SHA-384和SHA-512单向散列函数与PKCS#1 1.5版签名算法一起使用的算法标识符。
The RSASSA-PSS signature algorithm is preferred over the PKCS #1 Version 1.5 signature algorithm. Although no attacks are known against PKCS #1 Version 1.5 signature algorithm, in the interest of increased robustness, RSASSA-PSS signature algorithm is recommended for eventual adoption, especially by new applications. This section is included for compatibility with existing applications, and while still appropriate for new applications, a gradual transition to the RSASSA-PSS signature algorithm is encouraged.
RSASSA-PSS签名算法优于PKCS#1 1.5版签名算法。虽然PKCS#1 1.5版签名算法未受到攻击,但为了增强鲁棒性,建议最终采用RSASSA-PSS签名算法,特别是新应用程序。包含本节是为了与现有应用程序兼容,虽然仍适用于新应用程序,但鼓励逐步过渡到RSASSA-PSS签名算法。
The PKCS #1 Version 1.5 signature algorithm with these one-way hash functions and the RSA cryptosystem is implemented using the padding and encoding conventions described in RFC 2313 [P1v1.5].
PKCS#1版本1.5签名算法和这些单向散列函数以及RSA密码系统使用RFC 2313[P1v1.5]中描述的填充和编码约定实现。
The message digest is computed using the SHA-224, SHA-256, SHA-384, or SHA-512 one-way hash function.
使用SHA-224、SHA-256、SHA-384或SHA-512单向散列函数计算消息摘要。
The PKCS #1 version 1.5 signature algorithm, as specified in RFC 2313, includes a data encoding step. In this step, the message digest and the object identifier for the one-way hash function used to compute the message digest are combined. When performing the data encoding step, the id-sha224, id-sha256, id-sha384, and id-sha512 object identifiers (see Section 2.1) MUST be used to specify the SHA-224, SHA-256, SHA-384, and SHA-512 one-way hash functions, respectively.
RFC 2313中规定的PKCS#1 1.5版签名算法包括一个数据编码步骤。在此步骤中,将消息摘要和用于计算消息摘要的单向散列函数的对象标识符组合在一起。执行数据编码步骤时,必须使用id-sha224、id-sha256、id-sha384和id-sha512对象标识符(参见第2.1节)分别指定SHA-224、SHA-256、SHA-384和SHA-512单向散列函数。
The object identifier used to identify the PKCS #1 version 1.5 signature algorithm with SHA-224 is:
使用SHA-224识别PKCS#1 1.5版签名算法的对象标识符为:
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
The object identifier used to identify the PKCS #1 version 1.5 signature algorithm with SHA-256 is:
使用SHA-256识别PKCS#1 1.5版签名算法的对象标识符为:
sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
The object identifier used to identify the PKCS #1 version 1.5 signature algorithm with SHA-384 is:
使用SHA-384识别PKCS#1 1.5版签名算法的对象标识符为:
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
The object identifier used to identify the PKCS #1 version 1.5 signature algorithm with SHA-512 is:
使用SHA-512识别PKCS#1 1.5版签名算法的对象标识符为:
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
When any of these four object identifiers appears within an AlgorithmIdentifier, the parameters MUST be NULL. Implementations MUST accept the parameters being absent as well as present.
当这四个对象标识符中的任何一个出现在AlgorithmIdentifier中时,参数必须为NULL。实现必须接受既不存在又存在的参数。
The RSA signature generation process and the encoding of the result are described in detail in RFC 2313 [P1v1.5].
RFC 2313[P1v1.5]详细描述了RSA签名生成过程和结果编码。
PKIX1-PSS-OAEP-Algorithms { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs(33) }
PKIX1-PSS-OAEP-Algorithms { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs(33) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN
DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- EXPORTS All;
--全部出口;
IMPORTS
进口
AlgorithmIdentifier FROM PKIX1Explicit88 -- Found in [PROFILE] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } ;
AlgorithmIdentifier FROM PKIX1Explicit88 -- Found in [PROFILE] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } ;
-- ============================ -- Basic object identifiers -- ============================
-- ============================ -- Basic object identifiers -- ============================
pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 }
-- When rsaEncryption is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST be NULL.
-- When rsaEncryption is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST be NULL.
rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
-- When id-RSAES-OAEP is used in an AlgorithmIdentifier, -- and the parameters field is present, it MUST be -- RSAES-OAEP-params
-- When id-RSAES-OAEP is used in an AlgorithmIdentifier, -- and the parameters field is present, it MUST be -- RSAES-OAEP-params
id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
id-RSAES-OAEP OBJECT IDENTIFIER ::= { pkcs-1 7 }
-- When id-pSpecified is used in an AlgorithmIdentifier the -- parameters MUST be an OCTET STRING.
-- When id-pSpecified is used in an AlgorithmIdentifier the -- parameters MUST be an OCTET STRING.
id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 }
id-pSpecified OBJECT IDENTIFIER ::= { pkcs-1 9 }
-- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the -- parameters field is present, it MUST be RSASSA-PSS-params.
-- When id-RSASSA-PSS is used in an AlgorithmIdentifier, and the -- parameters field is present, it MUST be RSASSA-PSS-params.
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 }
-- When id-mgf1 is used in an AlgorithmIdentifier the parameters -- MUST be present and MUST be a HashAlgorithm.
-- When id-mgf1 is used in an AlgorithmIdentifier the parameters -- MUST be present and MUST be a HashAlgorithm.
id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 }
id-mgf1 OBJECT IDENTIFIER ::= { pkcs-1 8 }
-- When the following OIDs are used in an AlgorithmIdentifier, the -- parameters MUST be present and MUST be NULL.
-- When the following OIDs are used in an AlgorithmIdentifier, the -- parameters MUST be present and MUST be NULL.
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 }
sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 }
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 }
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 }
-- When the following OIDs are used in an AlgorithmIdentifier the -- parameters SHOULD be absent, but if the parameters are present, -- they MUST be NULL.
-- When the following OIDs are used in an AlgorithmIdentifier the -- parameters SHOULD be absent, but if the parameters are present, -- they MUST be NULL.
id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 }
id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithms(2) 26 }
id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 }
id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 }
id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 }
id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 }
id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 }
id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 }
-- ============= -- Constants -- =============
-- ============= -- Constants -- =============
nullOctetString OCTET STRING (SIZE (0)) ::= ''H
nullOctetString OCTET STRING (SIZE (0)) ::= ''H
nullParameters NULL ::= NULL
nullParameters NULL ::= NULL
-- ========================= -- Algorithm Identifiers -- =========================
-- ========================= -- Algorithm Identifiers -- =========================
sha1Identifier AlgorithmIdentifier ::= { algorithm id-sha1, parameters nullParameters }
sha1Identifier AlgorithmIdentifier ::= { algorithm id-sha1, parameters nullParameters }
sha224Identifier AlgorithmIdentifier ::= { algorithm id-sha224, parameters nullParameters }
sha224Identifier AlgorithmIdentifier ::= { algorithm id-sha224, parameters nullParameters }
sha256Identifier AlgorithmIdentifier ::= { algorithm id-sha256, parameters nullParameters }
sha256Identifier AlgorithmIdentifier ::= { algorithm id-sha256, parameters nullParameters }
sha384Identifier AlgorithmIdentifier ::= { algorithm id-sha384, parameters nullParameters }
sha384Identifier AlgorithmIdentifier ::= { algorithm id-sha384, parameters nullParameters }
sha512Identifier AlgorithmIdentifier ::= { algorithm id-sha512, parameters nullParameters }
sha512Identifier AlgorithmIdentifier ::= { algorithm id-sha512, parameters nullParameters }
mgf1SHA1Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha1Identifier }
mgf1SHA1Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha1Identifier }
mgf1SHA224Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha224Identifier }
mgf1SHA224Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha224Identifier }
mgf1SHA256Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha256Identifier }
mgf1SHA256Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha256Identifier }
mgf1SHA384Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha384Identifier }
mgf1SHA384Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha384Identifier }
mgf1SHA512Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha512Identifier }
mgf1SHA512Identifier AlgorithmIdentifier ::= { algorithm id-mgf1, parameters sha512Identifier }
pSpecifiedEmptyIdentifier AlgorithmIdentifier ::= { algorithm id-pSpecified, parameters nullOctetString }
pSpecifiedEmptyIdentifier AlgorithmIdentifier ::= { algorithm id-pSpecified, parameters nullOctetString }
rSASSA-PSS-Default-Params RSASSA-PSS-params ::= { hashAlgorithm sha1Identifier, maskGenAlgorithm mgf1SHA1Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-Default-Params RSASSA-PSS-params ::= { hashAlgorithm sha1Identifier, maskGenAlgorithm mgf1SHA1Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-Default-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-Default-Params }
rSASSA-PSS-Default-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-Default-Params }
rSASSA-PSS-SHA224-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-SHA224-Params }
rSASSA-PSS-SHA224-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-SHA224-Params }
rSASSA-PSS-SHA224-Params RSASSA-PSS-params ::= { hashAlgorithm sha224Identifier, maskGenAlgorithm mgf1SHA224Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-SHA224-Params RSASSA-PSS-params ::= { hashAlgorithm sha224Identifier, maskGenAlgorithm mgf1SHA224Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-SHA256-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-SHA256-Params }
rSASSA-PSS-SHA256-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-SHA256-Params }
rSASSA-PSS-SHA256-Params RSASSA-PSS-params ::= { hashAlgorithm sha256Identifier, maskGenAlgorithm mgf1SHA256Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-SHA256-Params RSASSA-PSS-params ::= { hashAlgorithm sha256Identifier, maskGenAlgorithm mgf1SHA256Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-SHA384-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-SHA384-Params }
rSASSA-PSS-SHA384-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSASSA-PSS-SHA384-Params }
rSASSA-PSS-SHA384-Params RSASSA-PSS-params ::= { hashAlgorithm sha384Identifier, maskGenAlgorithm mgf1SHA384Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-SHA384-Params RSASSA-PSS-params ::= { hashAlgorithm sha384Identifier, maskGenAlgorithm mgf1SHA384Identifier, saltLength 20, trailerField 1 }
rSASSA-PSS-SHA512-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSSASSA-PSS-SHA512-params }
rSASSA-PSS-SHA512-Identifier AlgorithmIdentifier ::= { algorithm id-RSASSA-PSS, parameters rSSASSA-PSS-SHA512-params }
rSSASSA-PSS-SHA512-params RSASSA-PSS-params ::= { hashAlgorithm sha512Identifier, maskGenAlgorithm mgf1SHA512Identifier, saltLength 20, trailerField 1 }
rSSASSA-PSS-SHA512-params RSASSA-PSS-params ::= { hashAlgorithm sha512Identifier, maskGenAlgorithm mgf1SHA512Identifier, saltLength 20, trailerField 1 }
rSAES-OAEP-Default-Params RSAES-OAEP-params ::= { hashFunc sha1Identifier, maskGenFunc mgf1SHA1Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-Default-Params RSAES-OAEP-params ::= { hashFunc sha1Identifier, maskGenFunc mgf1SHA1Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-Default-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-Default-Params }
rSAES-OAEP-Default-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-Default-Params }
rSAES-OAEP-SHA224-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA224-Params }
rSAES-OAEP-SHA224-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA224-Params }
rSAES-OAEP-SHA224-Params RSAES-OAEP-params ::= { hashFunc sha224Identifier, maskGenFunc mgf1SHA224Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-SHA224-Params RSAES-OAEP-params ::= { hashFunc sha224Identifier, maskGenFunc mgf1SHA224Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-SHA256-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA256-Params }
rSAES-OAEP-SHA256-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA256-Params }
rSAES-OAEP-SHA256-Params RSAES-OAEP-params ::= { hashFunc sha256Identifier, maskGenFunc mgf1SHA256Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-SHA256-Params RSAES-OAEP-params ::= { hashFunc sha256Identifier, maskGenFunc mgf1SHA256Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-SHA384-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA384-Params }
rSAES-OAEP-SHA384-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA384-Params }
rSAES-OAEP-SHA384-Params RSAES-OAEP-params ::= { hashFunc sha384Identifier, maskGenFunc mgf1SHA384Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-SHA384-Params RSAES-OAEP-params ::= { hashFunc sha384Identifier, maskGenFunc mgf1SHA384Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-SHA512-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA512-Params }
rSAES-OAEP-SHA512-Identifier AlgorithmIdentifier ::= { algorithm id-RSAES-OAEP, parameters rSAES-OAEP-SHA512-Params }
rSAES-OAEP-SHA512-Params RSAES-OAEP-params ::= { hashFunc sha512Identifier, maskGenFunc mgf1SHA512Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
rSAES-OAEP-SHA512-Params RSAES-OAEP-params ::= { hashFunc sha512Identifier, maskGenFunc mgf1SHA512Identifier, pSourceFunc pSpecifiedEmptyIdentifier }
-- =================== -- Main structures -- ===================
-- =================== -- Main structures -- ===================
-- Used in SubjectPublicKeyInfo of X.509 Certificate.
--用于X.509证书的SubjectPublicKeyInfo。
RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER } -- e
RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER } -- e
-- AlgorithmIdentifier parameters for id-RSASSA-PSS. -- Note that the tags in this Sequence are explicit.
-- AlgorithmIdentifier parameters for id-RSASSA-PSS. -- Note that the tags in this Sequence are explicit.
RSASSA-PSS-params ::= SEQUENCE { hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, saltLength [2] INTEGER DEFAULT 20, trailerField [3] INTEGER DEFAULT 1 }
RSASSA-PSS-params ::= SEQUENCE { hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, saltLength [2] INTEGER DEFAULT 20, trailerField [3] INTEGER DEFAULT 1 }
HashAlgorithm ::= AlgorithmIdentifier
HashAlgorithm ::= AlgorithmIdentifier
MaskGenAlgorithm ::= AlgorithmIdentifier
MaskGenAlgorithm ::= AlgorithmIdentifier
-- AlgorithmIdentifier parameters for id-RSAES-OAEP. -- Note that the tags in this Sequence are explicit.
-- AlgorithmIdentifier parameters for id-RSAES-OAEP. -- Note that the tags in this Sequence are explicit.
RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier DEFAULT pSpecifiedEmptyIdentifier }
RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier DEFAULT pSpecifiedEmptyIdentifier }
END
终止
[P1v1.5] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC 2313, March 1998.
[P1v1.5]Kaliski,B.,“PKCS#1:RSA加密版本1.5”,RFC 2313,1998年3月。
[P1v2.1] Jonsson, J. and B. Kaliski, "PKCS #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003.
[P1v2.1]Jonsson,J.和B.Kaliski,“PKCS#1:RSA加密规范2.1版”,RFC 3447,2003年2月。
[PROFILE] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
[简介]Housley,R.,Polk,W.,Ford,W.,和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)简介”,RFC 32802002年4月。
[SHA2] National Institute of Standards and Technology (NIST), FIPS 180-2: Secure Hash Standard, 1 August 2002.
[SHA2]国家标准与技术研究所(NIST),FIPS 180-2:安全哈希标准,2002年8月1日。
[SHA224] Housley, R., "A 224-bit One-way Hash Function: SHA-224", RFC 3874, September 2004.
[SHA224]Housley,R.,“224位单向散列函数:SHA-224”,RFC 3874,2004年9月。
[STDWORDS] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997.
[STDWORDS]Bradner,S.,“RFC中用于表示需求水平的关键词”,RFC 211997年3月。
[X.208-88] CCITT Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1), 1988.
[X.208-88]CCITT建议X.208:抽象语法符号1规范(ASN.1),1988年。
[X.209-88] CCITT Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1), 1988.
[X.209-88]CCITT建议X.209:抽象语法符号1(ASN.1)的基本编码规则规范,1988年。
[X.509-88] CCITT Recommendation X.509: The Directory - Authentication Framework, 1988.
[X.509-88]CCITT建议X.509:目录认证框架,1988年。
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004.
[CMS]Housley,R.,“加密消息语法(CMS)”,RFC 38522004年7月。
[GUIDE] National Institute of Standards and Technology, Second Draft: "Key Management Guideline, Part 1: General Guidance." June 2002. [http://csrc.nist.gov/encryption/kms/guideline-1.pdf]
[GUIDE] National Institute of Standards and Technology, Second Draft: "Key Management Guideline, Part 1: General Guidance." June 2002. [http://csrc.nist.gov/encryption/kms/guideline-1.pdf]
[P1363A] IEEE Std 1363a-2004, Standard Specifications for Public Key Cryptography - Amendment 1: Additional Techniques, 2004.
[P1363A]IEEE Std 1363a-2004,公开密钥加密的标准规范-修改件1:附加技术,2004年。
[PKALGS] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002.
[PKALGS]Bassham,L.,Polk,W.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的算法和标识符”,RFC 3279,2002年4月。
[RANDOM] Eastlake 3rd, D., Crocker, S., and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.
[RANDOM]Eastlake 3rd,D.,Crocker,S.,和J.Schiller,“安全的随机性建议”,RFC 1750,1994年12月。
[SHA-1-ATTACK] Wang, X., Yin, Y.L., and H. Yu, "Finding Collisions in the Full SHA1", to appear, CRYPTO 2005. Preprint available at http://theory.csail.mit.edu/~yiqun/shanote.pdf.
[SHA-1-ATTACK]Wang,X.,Yin,Y.L.,和H.Yu,“在完整的SHA1中发现碰撞”,即将出版,CRYPTO 2005。预印本可于http://theory.csail.mit.edu/~yiqun/shanote.pdf。
This specification supplements RFC 3280 [PROFILE]. The Security Considerations section of that document applies to this specification as well.
本规范补充了RFC 3280[配置文件]。该文件的安全注意事项部分也适用于本规范。
Implementations must protect the RSA private key. Compromising the RSA private key may result in the disclosure of all messages protected with that key.
实施必须保护RSA私钥。泄露RSA私钥可能会导致泄露使用该密钥保护的所有消息。
The generation of RSA public/private key pairs relies on a random numbers. Using inadequate pseudo-random number generators (PRNGs) to generate cryptographic keys can result in little or no security. An attacker may find it much easier to reproduce the PRNG environment that produced the keys and search the resulting small set of possibilities, than to brute force search the whole key space. The generation of quality random numbers is difficult and RFC 1750 [RANDOM] offers important guidance in this area.
RSA公钥/私钥对的生成依赖于随机数。使用不充分的伪随机数生成器(PRNG)生成加密密钥可能导致很少或没有安全性。攻击者可能会发现,复制生成密钥的PRNG环境并搜索生成的一小部分可能性比暴力搜索整个密钥空间要容易得多。质量随机数的生成很困难,RFC 1750[random]在这方面提供了重要的指导。
Generally, good cryptographic practice employs a given RSA key pair in only one scheme. This practice avoids the risk that vulnerability in one scheme may compromise the security of the other, and may be essential to maintain provable security. While PKCS #1 Version 1.5 [P1v1.5] has been employed for both key transport and digital signature without any known bad interactions, such a combined use of an RSA key pair is not recommended in the future. Therefore, an RSA key pair used for RSASSA-PSS signature generation should not be used for other purposes. For similar reasons, one RSA key pair should always be used with the same RSASSA-PSS parameters (except possibly for the salt length). Likewise, an RSA key pair used for RSAES-OAEP key transport should not be used for other purposes. For similar reasons, one RSA key pair should always be used with the same RSAES-OAEP parameters.
通常,良好的密码实践仅在一个方案中使用给定的RSA密钥对。这种做法避免了一个方案中的漏洞可能会危及另一个方案的安全性的风险,并且对于维护可证明的安全性可能至关重要。虽然PKCS#1 1.5版[P1v1.5]已用于密钥传输和数字签名,且没有任何已知的不良交互,但今后不建议结合使用RSA密钥对。因此,用于生成RSASSA-PSS签名的RSA密钥对不应用于其他目的。出于类似原因,一个RSA密钥对应始终与相同的RSASSA-PSS参数一起使用(salt长度除外)。同样,用于RSAES-OAEP密钥传输的RSA密钥对不应用于其他目的。出于类似原因,一个RSA密钥对应始终与相同的RSAES-OAEP参数一起使用。
This specification requires implementations to support the SHA-1 one-way hash function for interoperability, but support for other one-way hash functions is permitted. Wang et al. [SHA-1-ATTACK] have recently discovered a collision attack against SHA-1 with complexity 2^69. This attack, which can produce two new messages with the same hash value, is the first attack on SHA-1 faster than the generic attack with complexity 2^80, where 80 is one-half the bit length of the hash value.
本规范要求实现支持SHA-1单向散列函数以实现互操作性,但允许支持其他单向散列函数。Wang等人[SHA-1-ATTACK]最近发现了一种针对SHA-1的碰撞攻击,其复杂性为2^69。此攻击可以生成具有相同哈希值的两条新消息,是对SHA-1的第一次攻击,比复杂度为2^80的一般攻击快,其中80是哈希值位长度的一半。
In general, when a one-way hash function is used with a digital signature scheme, a collision attack is easily translated into a signature forgery. Therefore, using SHA-1 in a digital signature scheme provides a security level of no more than 69 bits if the attacker can persuade the signer to sign a message resulting from a collision attack. If the attacker can't persuade the signer to sign such a message, however, then SHA-1 still provides a security level of at least 80 bits since the best (known) inversion attack (which produces a new message with a previous hash value) is the generic attack with complexity 2^160. If a greater level of security is desired, then a secure one-way hash function with a longer hash value
通常,当单向散列函数与数字签名方案一起使用时,冲突攻击很容易转化为签名伪造。因此,如果攻击者能够说服签名者对冲突攻击产生的消息进行签名,则在数字签名方案中使用SHA-1可提供不超过69位的安全级别。但是,如果攻击者无法说服签名者对此类消息进行签名,则SHA-1仍然提供至少80位的安全级别,因为最(已知)的反转攻击(生成具有先前哈希值的新消息)是复杂度为2^160的一般攻击。如果需要更高级别的安全性,则使用具有更长散列值的安全单向散列函数
is needed. SHA-256, SHA-384, and SHA-512 are reasonable choices [SHA2], although their security needs to be reconfirmed in light of the SHA-1 results.
这是需要的。SHA-256、SHA-384和SHA-512是合理的选择[SHA2],尽管其安全性需要根据SHA-1结果重新确认。
The metrics for choosing a one-way hash function for use in digital signatures do not directly apply to the RSAES-OAEP key transport algorithm, since a collision attack on the one-way hash function does not directly translate into an attack on the key transport algorithm, unless the encoding parameters P vary (in which case a collision of the hash value for different encoding parameters might be exploited).
选择用于数字签名的单向散列函数的度量不直接应用于RSAES-OAEP密钥传输算法,因为对单向散列函数的冲突攻击不会直接转化为对密钥传输算法的攻击,除非编码参数P发生变化(在这种情况下,可能会利用不同编码参数的哈希值冲突)。
Nevertheless, for consistency with the practice for digital signature schemes, and in case the encoding parameters P is not the empty string, it is recommended that the same rule of thumb be applied to selecting a one-way hash function for use with RSAES-OAEP. That is, the one-way hash function should be selected so that the bit length of the hash value is at least twice as long as the desired security level in bits.
然而,为了与数字签名方案的实践保持一致,并且在编码参数P不是空字符串的情况下,建议将相同的经验法则应用于选择用于RSAES-OAEP的单向散列函数。也就是说,应当选择单向散列函数,使得散列值的比特长度至少是以比特为单位的期望安全级别的两倍。
The key size selected impacts the strength achieved when implementing cryptographic services. Thus, selecting appropriate key sizes is critical to implementing appropriate security. A 1024-bit RSA public key is considered to provide a security level of about 80 bits. In [GUIDE], the National Institute of Standards and Technology (NIST) suggests that a security level of 80 bits is adequate for the protection of sensitive information until 2015. This recommendation is likely to be revised based on recent advances, and is expected to be more conservative, suggesting that a security level of 80 bits is adequate protection of sensitive information until 2010. If a security level greater than 80 bits is needed, then a longer RSA public key and a secure one-way hash function with a longer hash value are needed. SHA-224, SHA-256, SHA-384, and SHA-512 are reasonable choices for such a one-way hash function, modulo the reconfirmation noted above. For this reason, the algorithm identifiers for these one-way hash functions are included in the ASN.1 module in Section 6.
选择的密钥大小会影响实现加密服务时达到的强度。因此,选择适当的密钥大小对于实现适当的安全性至关重要。1024位RSA公钥被认为可以提供大约80位的安全级别。在[指南]中,美国国家标准与技术研究所(NIST)建议,在2015年之前,80位的安全级别足以保护敏感信息。该建议可能会根据最新进展进行修订,预计会更加保守,这表明在2010年之前,80位的安全级别足以保护敏感信息。如果需要大于80位的安全级别,则需要更长的RSA公钥和具有更长散列值的安全单向散列函数。SHA-224、SHA-256、SHA-384和SHA-512是这种单向散列函数的合理选择,对上述重新确认进行模化。因此,这些单向散列函数的算法标识符包含在第6节的ASN.1模块中。
Current implementations MUST support 1024-bit RSA public key sizes. Before the end of 2007, implementations SHOULD support RSA public key sizes of at least 2048 bits and SHOULD support SHA-256. This requirement is intended to allow adequate time for users to deploy the stronger digital signature capability by 2010.
当前的实现必须支持1024位RSA公钥大小。在2007年底之前,实现应该支持至少2048位的RSA公钥大小,并且应该支持SHA-256。这一要求旨在让用户有足够的时间在2010年之前部署更强的数字签名功能。
When using RSASSA-PSS, the same one-way hash function should be employed for the hashAlgorithm and the maskGenAlgorithm, but it is not required. When using RSAES-OAEP, the same one-way hash function
使用RSASSA-PSS时,hashAlgorithm和maskGenAlgorithm应使用相同的单向哈希函数,但不是必需的。当使用RSAES-OAEP时,相同的单向散列函数
should be employed for the hashFunc and the maskGenFunc, but it is not required. In each case, using the same one-way hash function helps with security analysis and reduces implementation complexity.
应为hashFunc和maskGenFunc使用,但不是必需的。在每种情况下,使用相同的单向散列函数都有助于安全性分析并降低实现复杂性。
Within the certificates and CRLs, algorithms are identified by object identifiers. All object identifiers used in this document were assigned in Public-Key Cryptography Standards (PKCS) documents or by the National Institute of Standards and Technology (NIST). No further action by the IANA is necessary for this document or any anticipated updates.
在证书和CRL中,算法由对象标识符标识。本文件中使用的所有对象标识符均由公钥密码标准(PKCS)文件或国家标准与技术研究所(NIST)指定。IANA无需对本文件或任何预期更新采取进一步行动。
Authors' Addresses
作者地址
Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA
Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,邮编20170
EMail: housley@vigilsec.com
EMail: housley@vigilsec.com
Burt Kaliski RSA Laboratories 174 Middlesex Turnpike Bedford, MA 01730 USA
Burt Kaliski RSA Laboratories 174美国马萨诸塞州米德尔塞克斯收费公路贝德福德01730号
EMail: bkaliski@rsasecurity.com
EMail: bkaliski@rsasecurity.com
Jim Schaad Soaring Hawk Consulting PO Box 675 Gold Bar, WA 98251 USA
Jim Schaad Smalling Hawk Consulting邮政信箱675金条,美国华盛顿州98251
EMail: jimsch@exmsft.com
EMail: jimsch@exmsft.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。