Alter: template type. Add: type. | Use this bot. Report bugs. | Suggested by Abductive | Category:Digital signature schemes | #UCB_Category 24/29
|
m ISBN
|
||
(19 intermediate revisions by 6 users not shown) | |||
Line 3: | Line 3: | ||
{{refimprove|date=March 2019}} |
{{refimprove|date=March 2019}} |
||
In [[cryptography]], '''PKCS #1''' is the first of a family of standards called [[PKCS|Public-Key Cryptography Standards (PKCS)]], published by [[RSA Laboratories]]. It provides the basic definitions of and recommendations for implementing the [[RSA ( |
In [[cryptography]], '''PKCS #1''' is the first of a family of standards called [[PKCS|Public-Key Cryptography Standards (PKCS)]], published by [[RSA Laboratories]]. It provides the basic definitions of and recommendations for implementing the [[RSA (cryptosystem)|RSA]] algorithm for [[public-key cryptography]]. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related [[Abstract Syntax Notation One|ASN.1]] syntax representations. |
||
The current version is 2.2 (2012-10-27). Compared to 2.1 (2002-06-14), which was republished as RFC 3447, version 2.2 updates the list of allowed hashing algorithms to align them with FIPS 180-4, therefore adding SHA-224, SHA-512/224 and SHA-512/256. |
The current version is 2.2 (2012-10-27). Compared to 2.1 (2002-06-14), which was republished as RFC 3447, version 2.2 updates the list of allowed hashing algorithms to align them with FIPS 180-4, therefore adding SHA-224, SHA-512/224 and SHA-512/256. |
||
Line 37: | Line 37: | ||
There are two schemes for encryption and decryption: |
There are two schemes for encryption and decryption: |
||
⚫ | * {{tt|RSAES-PKCS1-v1_5}}: older Encryption/decryption Scheme (ES) as first standardized in version 1.5 of PKCS #1. '''Known-vulnerable.''' |
||
* RSAES-OAEP: improved '''E'''ncryption/decryption '''S'''cheme; based on the [[Optimal Asymmetric Encryption Padding]] scheme proposed by [[Mihir Bellare]] and [[Phillip Rogaway]]. |
|||
⚫ | * {{tt|RSAES-OAEP}}: improved ES; based on the [[optimal asymmetric encryption padding]] (OAEP) scheme proposed by [[Mihir Bellare]] and [[Phillip Rogaway]]. Recommended for new applications.{{efn|group=oaep|Note: A small change was made to RSAES-OAEP in PKCS #1 version 2.1, causing RSAES-OAEP in PKCS #1 version 2.0 to be totally incompatible with RSA-OAEP in PKCS #1 version 2.1 and version 2.2.}} |
||
⚫ |
* RSAES-PKCS1-v1_5: older |
||
⚫ | Note: A small change was made to RSAES-OAEP in PKCS #1 version 2.1, causing RSAES-OAEP in PKCS #1 version 2.0 to be totally incompatible with RSA-OAEP in PKCS #1 version 2.1 and version 2.2. |
||
There are also two schemes for dealing with signatures: |
There are also two schemes for dealing with signatures: |
||
* {{tt|RSASSA-PKCS1-v1_5}}: old Signature Scheme with Appendix (SSA) as first standardized in version 1.5 of PKCS #1. Unforgeable, according to Jager ''et al.'' (2018).<ref name=jager18>{{cite conference |last1=Jager |first1=Tibor |last2=Kakvi |first2=Saqib A. |last3=May |first3=Alexander |title=On the Security of the PKCS#1 v1.5 Signature Scheme |date=15 October 2018 |pages=1195–1208 |doi=10.1145/3243734.3243798 |url=https://eprint.iacr.org/2018/855.pdf|conference=The Second International Conference on Availability, Reliability and Security (ARES'07)}}</ref> |
|||
* RSASSA-PSS: improved |
* {{tt|RSASSA-PSS}}: improved SSA; based on the [[probabilistic signature scheme]] (PSS) originally invented by Bellare and Rogaway. Recommended for new applications. |
||
* RSASSA-PKCS1-v1_5: old '''S'''ignature '''S'''cheme with '''A'''ppendix as first standardized in version 1.5 of PKCS #1. |
|||
The two signature schemes make use of separately defined encoding methods: |
The two signature schemes make use of separately defined encoding methods: |
||
* EMSA- |
* {{tt|EMSA-PKCS1-v1_5}}: old encoding method for signature appendix (EMSA) as first standardized in version 1.5 of PKCS #1. |
||
* {{tt|EMSA-PSS}}: improved EMSA, based on the probabilistic signature scheme. Recommended for new applications. |
|||
* EMSA-PKCS1-v1_5: encoding method for signature appendix as first standardized in version 1.5 of PKCS #1. |
|||
⚫ | The signature schemes are actually signatures ''with appendix'', which means that rather than signing some input data directly, a [[hash function]] is used first to produce an intermediary representation of the data, and then the result of the hash is signed. This technique is almost always used with RSA because the amount of data that can be directly signed is proportional to the size of the keys; which is almost always much smaller than the amount of data an application may wish to sign. |
||
{{notelist|group=oaep}} |
|||
The signature schemes are actually signatures ''with appendix'', which means that rather than signing some input data |
|||
⚫ | directly, a [[hash function]] is used first to produce an intermediary representation of the data, and then the result of the hash is signed. This technique is almost always used with RSA because the amount of data that can be directly signed is proportional to the size of the keys; which is almost always much smaller than the amount of data an application may wish to sign. |
||
==Version history== |
==Version history== |
||
Line 65: | Line 64: | ||
Below is a list of cryptography libraries that provide support for PKCS#1: |
Below is a list of cryptography libraries that provide support for PKCS#1: |
||
{{div col|colwidth=15em}} |
|||
*[[Botan (programming library)|Botan]] |
*[[Botan (programming library)|Botan]] |
||
*[[Bouncy Castle (cryptography)|Bouncy Castle]] |
*[[Bouncy Castle (cryptography)|Bouncy Castle]] |
||
Line 75: | Line 75: | ||
*[[OpenSSL]] |
*[[OpenSSL]] |
||
*[[wolfCrypt]] |
*[[wolfCrypt]] |
||
{{div col end}} |
|||
== Attacks == |
== Attacks == |
||
Multiple attacks were discovered against PKCS #1 v1.5.<ref name="Coron">{{cite book|author=Jean-Sébastien Coron, Marc Joye, [[David Naccache]], and Pascal Paillier|title= |
Multiple attacks were discovered against PKCS #1 v1.5, specifically its padding scheme.<ref name="Coron">{{cite book|author=Jean-Sébastien Coron, Marc Joye, [[David Naccache]], and Pascal Paillier|title=Advances in Cryptology — EUROCRYPT 2000 |volume=1807|publisher=[[EUROCRYPT]]|year=2000|pages=369–381|url=https://www.iacr.org/archive/eurocrypt2000/1807/18070374-new.pdf|doi=10.1007/3-540-45539-6|isbn=978-3-540-67517-4|series=Lecture Notes in Computer Science|s2cid=8447520}}</ref><ref name="Bard12"/> |
||
In 1998, [[Daniel Bleichenbacher]] published a seminal paper on what became known as [[Adaptive chosen-ciphertext attack#Practical attacks|Bleichenbacher's attack]] (also known as "million message attack").<ref name="Bard12">{{cite thesis |
In 1998, [[Daniel Bleichenbacher]] published a seminal paper on what became known as [[Adaptive chosen-ciphertext attack#Practical attacks|Bleichenbacher's attack]] (also known as "million message attack"). The attack uses the padding as an oracle.<ref name="Bard12">{{cite thesis |
||
| url=https://hal.inria.fr/hal-00691958v3 |
| url=https://hal.inria.fr/hal-00691958v3 |
||
| title=Efficient Padding Oracle Attacks on Cryptographic Hardware |
| title=Efficient Padding Oracle Attacks on Cryptographic Hardware |
||
| |
|author=Romain Bardou |author2=Riccardo Focardi |author3=Yusuke Kawamoto |author4=Lorenzo Simionato |author5=Graham Steel |author6=Joe-Kai Tsay |
||
| journal=Rr-7944 |
| journal=Rr-7944 |
||
| publisher=[[INRIA]] |
| publisher=[[INRIA]] |
||
| date=2012 |
| date=2012 |
||
| page=19| type=report |
| page=19| type=report |
||
}}</ref><ref>{{IETF RFC|3218}} – Preventing the Million Message Attack on Cryptographic Message Syntax</ref> PKCS #1 was subsequently updated in the release 2.0 and patches were issued to users wishing to continue using the old version of the standard.<ref name="Coron"/> |
}}</ref><ref>{{IETF RFC|3218}} – Preventing the Million Message Attack on Cryptographic Message Syntax</ref> PKCS #1 was subsequently updated in the release 2.0 and patches were issued to users wishing to continue using the old version of the standard.<ref name="Coron"/> However, the vulnerable padding scheme remains in use and has resulted in subsequent attacks: |
||
* Bardou ''et al.'' (2012) find that several models of [[PKCS 11]] tokens still use the v1.5 padding scheme for RSA. They propose an improved version of Bleichenbacher's attack that requires fewer messages. As a result of this improvement, they managed to extract the secret key from several models in under an hour. They also show that the AES-CBC scheme is vulnerable to a different [[padding oracle attack]].<ref name="Bard12"/><ref>{{cite web |title=A bad couple of years for the cryptographic token industry |url=https://blog.cryptographyengineering.com/2012/06/21/bad-couple-of-years-for-cryptographic/ |website=A Few Thoughts on Cryptographic Engineering |language=en |date=21 June 2012 |first=Matthew |last=Green }}</ref> |
|||
|
* Böck ''et al.'' (2018) report that many modern [[HTTPS]] servers are vulnerable to a variation of the attack. TLS 1.2 contains anti-Bleichenbacher countermeasures, but the workarounds are not correctly implemented in many software due to their sheer complexity.<ref>{{Cite web |url = https://robotattack.org |title = ROBOT attack: Return Of Bleichenbacher's Oracle Threat |author=Hanno Böck |author2=Juraj Somorovsky |author3=Craig Young |access-date = February 27, 2018 }}</ref> |
||
In 2006, Bleichenbacher presented a new forgery attack against the signature scheme RSASSA-PKCS1-v1_5.<ref>{{cite book |
In 2006, Bleichenbacher presented a new forgery attack against the signature scheme RSASSA-PKCS1-v1_5.<ref>{{cite book |
||
| chapter=Analysis on Bleichenbacher's Forgery Attack |
| chapter=Analysis on Bleichenbacher's Forgery Attack |
||
| |
|author=Tetsuya Izu |author2=Masahiko Takenaka |author3=Takeshi Shimoyama |
||
| title=The Second International Conference on Availability, Reliability and Security (ARES'07) |
| title=The Second International Conference on Availability, Reliability and Security (ARES'07) |
||
| pages=1167–1174 |
| pages=1167–1174 |
||
Line 99: | Line 101: | ||
| doi=10.1109/ARES.2007.38| isbn=978-0-7695-2775-8 |
| doi=10.1109/ARES.2007.38| isbn=978-0-7695-2775-8 |
||
| s2cid=2459509 |
| s2cid=2459509 |
||
}}</ref> Variants of this attack are reported in 2008<ref>Kühn, Ulrich; Pyshkin, Andrei; Tews, Erik; Weinmann, Ralf-Philipp (2008): [https://dl.gi.de/items/91d7c4b0-c254-4fbb-b45c-190479a052b3 Variants of Bleichenbacher’s Low-Exponent Attack on PKCS#1 RSA Signatures.] SICHERHEIT 2008 – Sicherheit, Schutz und Zuverlässigkeit. Beiträge der 4. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI). Bonn: Gesellschaft für Informatik e. V.. PISSN 1617-5468. {{ISBN|978-3-88579-222-2}}. pp. 97–109. Regular Research Papers. Saarbrücken. 2.- 4. April 2008</ref> and 2014.<ref>{{cite web |title=Advanced Threat Research {{!}} Intel Security |url=http://www.intelsecurity.com/advanced-threat-research/berserk.html |date=1 April 2015|archive-url=https://web.archive.org/web/20150401143322/http://www.intelsecurity.com/advanced-threat-research/berserk.html |archive-date=2015-04-01 }}</ref> This class of attack exploits a flawed implementation of the signature verification; a proper implementation would not be vulnerable.<ref name=jager18/> |
|||
}}</ref> |
|||
==See also== |
==See also== |
This article needs additional citations for verification. Please help improve this articlebyadding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "PKCS 1" – news · newspapers · books · scholar · JSTOR (March 2019) (Learn how and when to remove this message) |
Incryptography, PKCS #1 is the first of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It provides the basic definitions of and recommendations for implementing the RSA algorithm for public-key cryptography. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations.
The current version is 2.2 (2012-10-27). Compared to 2.1 (2002-06-14), which was republished as RFC 3447, version 2.2 updates the list of allowed hashing algorithms to align them with FIPS 180-4, therefore adding SHA-224, SHA-512/224 and SHA-512/256.
The PKCS #1 standard defines the mathematical definitions and properties that RSA public and private keys must have. The traditional key pair is based on a modulus, n, that is the product of two distinct large prime numbers, p and q, such that .
Starting with version 2.1, this definition was generalized to allow for multi-prime keys, where the number of distinct primes may be two or more. When dealing with multi-prime keys, the prime factors are all generally labeled as for some i, such that:
As a notational convenience, and
.
The RSA public key is represented as the tuple , where the integer e is the public exponent.
The RSA private key may have two representations. The first compact form is the tuple , where d is the private exponent. The second form has at least five terms
, or more for multi-prime keys. Although mathematically redundant to the compact form, the additional terms allow for certain computational optimizations when using the key. In particular, the second format allows to derive the public key.[1]
The standard defines several basic primitives. The primitive operations provide the fundamental instructions for turning the raw mathematical formulas into computable algorithms.
By themselves the primitive operations do not necessarily provide any security. The concept of a cryptographic scheme is to define higher level algorithms or uses of the primitives so they achieve certain security goals.
There are two schemes for encryption and decryption:
There are also two schemes for dealing with signatures:
The two signature schemes make use of separately defined encoding methods:
The signature schemes are actually signatures with appendix, which means that rather than signing some input data directly, a hash function is used first to produce an intermediary representation of the data, and then the result of the hash is signed. This technique is almost always used with RSA because the amount of data that can be directly signed is proportional to the size of the keys; which is almost always much smaller than the amount of data an application may wish to sign.
Below is a list of cryptography libraries that provide support for PKCS#1:
Multiple attacks were discovered against PKCS #1 v1.5, specifically its padding scheme.[3][4]
In 1998, Daniel Bleichenbacher published a seminal paper on what became known as Bleichenbacher's attack (also known as "million message attack"). The attack uses the padding as an oracle.[4][5] PKCS #1 was subsequently updated in the release 2.0 and patches were issued to users wishing to continue using the old version of the standard.[3] However, the vulnerable padding scheme remains in use and has resulted in subsequent attacks:
In 2006, Bleichenbacher presented a new forgery attack against the signature scheme RSASSA-PKCS1-v1_5.[8] Variants of this attack are reported in 2008[9] and 2014.[10] This class of attack exploits a flawed implementation of the signature verification; a proper implementation would not be vulnerable.[2]
{{cite book}}
: CS1 maint: multiple names: authors list (link)