Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Keys 2 Primitives 3 Schemes 4 Version history 5 Implementations 6 Attacks 7 See also 8 References 9 External links

PKCS 1: Difference between revisions

●Čeština ●Deutsch ●Português Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Print/export Appearance Help From Wikipedia, the free encyclopedia Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 09:43, 18 February 2024

This article needs additional citations for verification. Please help improve this articlebyadding citations to reliable sources. Unsourced material may be challenged and removed.
Find sources: "PKCS 1" – news · newspapers · books · scholar · JSTOR (March 2019) (Learn how and when to remove this message)

Incryptography, PKCS #1 is the first of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It provides the basic definitions of and recommendations for implementing the RSA algorithm for public-key cryptography. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations.

The current version is 2.2 (2012-10-27). Compared to 2.1 (2002-06-14), which was republished as RFC 3447, version 2.2 updates the list of allowed hashing algorithms to align them with FIPS 180-4, therefore adding SHA-224, SHA-512/224 and SHA-512/256.

Keys

The PKCS #1 standard defines the mathematical definitions and properties that RSA public and private keys must have. The traditional key pair is based on a modulus, $n$ , that is the product of two distinct large prime numbers, $p$ and $q$ , such that $n=pq$ .

Starting with version 2.1, this definition was generalized to allow for multi-prime keys, where the number of distinct primes may be two or more. When dealing with multi-prime keys, the prime factors are all generally labeled as $r_{i}$ for some $i$ , such that:

n=r_{1}r_{2}\cdots r_{i},

for

i\geq 2

As a notational convenience, $p=r_{1}$ and $q=r_{2}$ .

The RSA public key is represented as the tuple $(n,e)$ , where the integer $e$ is the public exponent.

The RSA private key may have two representations. The first compact form is the tuple $(n,d)$ , where $d$ is the private exponent. The second form has at least five terms ⁠ $(p,q,dp,dq,qinv)$ ⁠, or more for multi-prime keys. Although mathematically redundant to the compact form, the additional terms allow for certain computational optimizations when using the key. In particular, the second format allows to derive the public key.^[1]

Primitives

The standard defines several basic primitives. The primitive operations provide the fundamental instructions for turning the raw mathematical formulas into computable algorithms.

I2OSP - Integer to Octet String Primitive - Converts a (potentially very large) non-negative integer into a sequence of bytes (octet string).
OS2IP - Octet String to Integer Primitive - Interprets a sequence of bytes as a non-negative integer
RSAEP - RSA Encryption Primitive - Encrypts a message using a public key
RSADP - RSA Decryption Primitive - Decrypts ciphertext using a private key
RSASP1 - RSA Signature Primitive 1 - Creates a signature over a message using a private key
RSAVP1 - RSA Verification Primitive 1 - Verifies a signature is for a message using a public key

Schemes

By themselves the primitive operations do not necessarily provide any security. The concept of a cryptographic scheme is to define higher level algorithms or uses of the primitives so they achieve certain security goals.

There are two schemes for encryption and decryption:

RSAES-PKCS1-v1_5: older Encryption/decryption Scheme (ES) as first standardized in version 1.5 of PKCS #1. Known-vulnerable.
RSAES-OAEP: improved ES; based on the optimal asymmetric encryption padding (OAEP) scheme proposed by Mihir Bellare and Phillip Rogaway. Recommended for new applications.^[a]

There are also two schemes for dealing with signatures:

RSASSA-PKCS1-v1_5: old Signature Scheme with Appendix (SSA) as first standardized in version 1.5 of PKCS #1. Known-vulnerable.
RSASSA-PSS: improved SSA; based on the probabilistic signature scheme (PSS) originally invented by Bellare and Rogaway. Recommended for new applications.

The two signature schemes make use of separately defined encoding methods:

EMSA-PKCS1-v1_5: old encoding method for signature appendix (EMSA) as first standardized in version 1.5 of PKCS #1.
EMSA-PSS: improved EMSA, based on the probabilistic signature scheme. Recommended for new applications.

The signature schemes are actually signatures with appendix, which means that rather than signing some input data directly, a hash function is used first to produce an intermediary representation of the data, and then the result of the hash is signed. This technique is almost always used with RSA because the amount of data that can be directly signed is proportional to the size of the keys; which is almost always much smaller than the amount of data an application may wish to sign.

^ Note: A small change was made to RSAES-OAEP in PKCS #1 version 2.1, causing RSAES-OAEP in PKCS #1 version 2.0 to be totally incompatible with RSA-OAEP in PKCS #1 version 2.1 and version 2.2.

Version history

Versions 1.1–1.3, February through March 1991, privately distributed.
Version 1.4, June 1991, published for NIST/OSI Implementors' Workshop.
Version 1.5, November 1993. First public publication. Republished as RFC 2313.
Version 2.0, September 1998. Republished as RFC 2437. Introduced the RSAEP-OAEP encryption scheme.
Version 2.1, June 2002. Republished as RFC 3447. Introduced multi-prime RSA and the RSASSA-PSS signature scheme
Version 2.2, October 2012. Republished as RFC 8017.

Implementations

Below is a list of cryptography libraries that provide support for PKCS#1:

Attacks

Multiple attacks were discovered against PKCS #1 v1.5. The padding scheme is vulnerable to well-known padding oracle attacks.^[2]^[3]

In 1998, Daniel Bleichenbacher published a seminal paper on what became known as Bleichenbacher's attack (also known as "million message attack").^[3]^[4] PKCS #1 was subsequently updated in the release 2.0 and patches were issued to users wishing to continue using the old version of the standard.^[2] However, the vulnerable padding scheme remains in use and has resulted in subsequent attacks:

Bardou et al. (2012) find that several models of PKCS 11 tokens still use the v1.5 padding scheme for RSA and AES-CBC. They propose an improved version of Bleichenbacher's attack that requires fewer messages. As a result of this improvement, they managed to extract the secret key from several models in under an hour.^[3]^[5]
Böck et al. (2018) report that many modern HTTPS servers are vulnerable to a variation of the attack. TLS 1.2 contains anti-Bleichenbacher countermeasures, but the workarounds are not correctly implemented in many software due to their sheer complexity.^[6]

In 2006, Bleichenbacher presented a new forgery attack against the signature scheme RSASSA-PKCS1-v1_5.^[7]

References

^ Ilmari Karonen (27 October 2017). "Can I get a public key from an RSA private key?". Stack Exchange.

^ ^a ^b Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier (2000). Advances in Cryptology — EUROCRYPT 2000 (PDF). Lecture Notes in Computer Science. Vol. 1807. EUROCRYPT. pp. 369–381. doi:10.1007/3-540-45539-6. ISBN 978-3-540-67517-4. S2CID 8447520.{{cite book}}: CS1 maint: multiple names: authors list (link)

^ ^a ^b ^c Romain Bardou; Riccardo Focardi; Yusuke Kawamoto; Lorenzo Simionato; Graham Steel; Joe-Kai Tsay (2012). Efficient Padding Oracle Attacks on Cryptographic Hardware. Rr-7944 (report). INRIA. p. 19.

^ RFC 3218 – Preventing the Million Message Attack on Cryptographic Message Syntax

^ "A bad couple of years for the cryptographic token industry". A Few Thoughts on Cryptographic Engineering. 21 June 2012.

^ Hanno Böck; Juraj Somorovsky; Craig Young. "ROBOT attack: Return Of Bleichenbacher's Oracle Threat". Retrieved February 27, 2018.

^ Tetsuya Izu; Masahiko Takenaka; Takeshi Shimoyama (April 2007). "Analysis on Bleichenbacher's Forgery Attack". The Second International Conference on Availability, Reliability and Security (ARES'07). IEEE. pp. 1167–1174. doi:10.1109/ARES.2007.38. ISBN 978-0-7695-2775-8. S2CID 2459509.

External links

RFC 8017 - PKCS #1: RSA Cryptography Specifications Version 2.2
PKCS #1 v2.2: RSA Cryptography Standard at the Wayback Machine (archived April 10, 2016)
Raising the Standard for RSA Signatures: RSA-PSS at the Wayback Machine (archived 2004-04-04)

Cryptography

General

Mathematics

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=PKCS_1&oldid=1208642098" Categories: ●Cryptography standards ●Digital signature schemes ●Digital Signature Standard Hidden categories: ●CS1 maint: multiple names: authors list ●Articles with short description ●Short description matches Wikidata ●Restricted titles (non-leading number sign) ●Articles needing additional references from March 2019 ●All articles needing additional references ●Webarchive template wayback links ●This page was last edited on 18 February 2024, at 09:43 (UTC). ●This version of the page has been revised. Besides normal editing, the reason for revision may have been that this version contains factual inaccuracies, vandalism, or material not compatible with the Creative Commons Attribution-ShareAlike License. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view