ASN.1 syntax,octet string是一個8 bytes sequence string.
RSA中涉及到的Data conversion:
1)I2OSP,Integer to Octet String(8bytes sequence);
Input: x nonnegative integer to be converted
xLen intended length of resulting octet string
Output:X corrsponding octet string of length xLen
2)OS2IP,octet string to a nonnegative integer,
Input:X octet string to be converted
Output:x corresponding nonnegative integer
Encryption和decryption primitives:
1)RSAEP( (n,e), m), Input (n,e) RSA public key
m message,integer 0 - n-1
Output c ciphertext
c = m^e mod n
2)RSADP(K, c), Input K RSA private key, a pair (n,d)
a quintuple(p, q, dp, dq, qinv)
c ciphertext,integer 0 - n-1
Output m message,integer 0 - n-1
m = c^d mod n
或者:
Signature和Verification privimitives:
1)RSASP1(K, m), Input K RSA private key, a pair (n, d)
a quintuple(p, q, dp, dq, qinv)
m mesage,integer 0 - n-1
Output s signature,integer 0 - n-1
s = m^d mod n
或者:
2)RSAVP1 ( (n,e), s) Input (n,e) RSA public key
s signature,integer 0 - n-1
Output m message, integer 0 - n-1
m = s^e mod n
RSASA-PSS的簽名流程:1)EMSA-PSS encoding, EM = EMSA-PSS-encode(M, modbits -1)
產生的EM的長度,經過取8mod向上取整,還是n;
2)RSA signature, m = OS2IP (EM)
s = RSASP1 (K, m)
S = I2OSP (s, k)
產生的簽名的長度一定是n;
RSASA-PKCS1-v1_5的簽名流程:1) EM = EMSA-PKCS1-v1_5 (M, k),k的大小為n的長度;
2) RSA signature,m = OS2IP (EM);
s = RSASP1 (K, m);
S = I2OSP (s, k);
產生的簽名的長度一定是n;
PKCS#1-V-1.5的signature encode方式:EMSA-PKCS1-v1_5-Encode (M, emlen)
輸入:
1) Hash function;hLen表示hash function output;
2) Message;
3) emlen,最少tLen+11,tLen表示對T進行DER之后的值的長度;
輸出:
1) EM,encoded message;
2) Error,“message too long”, encoded message length too short;
流程:
1)進行hash運算; H = Hash(m);
2)將hash function和hash value進行ASN.1的DER編碼,輸出T,T的長度為tLen;
3)如果emLen < tLen + 11,輸出error信息;
4)產生一個PS的字符串,以FF為最后一個有效字符;最少8個byte
5)將數據拼接起來,組成EM;
幾種hash算法的T的值:
SHA-1的T的長度:120+160 = 280
SHA-224、SHA-512/224的T的長度:154+224 = 378
SHA-256、SHA-512/256的T的長度:154+256 = 410
SHA-384的T的長度:154+384 = 538
SHA-512的T的長度:154+512 = 666
PKCS#1 PSS sign encode(M, embits) options: Hash function,hLen表示hash function的輸出octets的長度;
MGF mask generation function;
sLen,length in octets of the salt;
Input:M message to be encoded;
embits 8hLen + 8sLen + 9 < embits < EM的長度;
Output:EM,encoded message;EMLen = embits/8向上取整;
流程:1) mHash = Hash(M),hLen的長度;
2) emLen < hLen + sLen + 2,直接報錯;
3) 產生隨機數sLen長度的salt,sLen為0時,salt為空字符串;
4) M' = (0x)00 00 00 00 00 00 00 00 || mHash || salt,M'的長度為8+hLen+sLen
5) H = Hash(m'),長度hLen;
6) 產生字符串 PS,emLen - sLen -hLen -2個字符;
7) DB = PS || 0x01 || salt,DB的長度為emLen - hLen -1;
8) dbmask = MGF(H, emLen-hLen-1)
9) maskDB = DB^+dbmask;
10) 設置maskedDB的最左邊的8emLen - emBits個字符為零;
11) EM = maskDB || H || 0xbc;
MGF function:對輸入的數據進行hash壓縮或擴展;
MGF1(mgfseed, maskLen) Options Hash
Input: mgfseed,seed from which mask is generated;
maskLen,輸出mask的長度,最大2^32hLen;
Output:mask,輸出mask;
流程:
1)首先判斷maskLen < 2^32hLen;否則報錯;
2)T清空;
3)counter 從0 到 maskLen/hLen -1 做hash運算和拼接操作;
C = I2OSP (counter, 4), C一共是32byte;
T = T || Hash(mgfSeed || C)
驗簽與簽名的流程,完全相反,
加解密的流程,padding方式與sign/verify不同,