HOME

TheInfoList



Click Here for Items Related To - PKCS1
OR:
PKCS1 on:   [Wikipedia]   [Google]   [Amazon]

In
cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
, PKCS #1 is the first of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It provides the basic definitions of and recommendations for implementing the RSA algorithm for
public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related
ASN.1 Abstract Syntax Notation One (ASN.1) is a standard interface description language (IDL) for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networ ...
syntax representations. The current version is 2.2 (2012-10-27). Compared to 2.1 (2002-06-14), which was republished as RFC 3447, version 2.2 updates the list of allowed hashing algorithms to align them with FIPS 180-4, therefore adding SHA-224, SHA-512/224 and SHA-512/256.


Keys

The PKCS #1 standard defines the mathematical definitions and properties that RSA public and private keys must have. The traditional key pair is based on a modulus, , that is the product of two distinct large
prime number A prime number (or a prime) is a natural number greater than 1 that is not a Product (mathematics), product of two smaller natural numbers. A natural number greater than 1 that is not prime is called a composite number. For example, 5 is prime ...
s, and , such that n = pq. Starting with version 2.1, this definition was generalized to allow for multi-prime keys, where the number of distinct primes may be two or more. When dealing with multi-prime keys, the prime factors are all generally labeled as r_i for some , such that: : n = r_1 r_2 \cdots r_i, for i \ge 2 As a notational convenience, p = r_1 and q = r_2. The RSA public key is represented as the tuple (n, e), where the integer is the public exponent. The RSA private key may have two representations. The first compact form is the tuple (n, d), where is the private exponent. The second form has at least five terms , or more for multi-prime keys. Although mathematically redundant to the compact form, the additional terms allow for certain computational optimizations when using the key. In particular, the second format allows to derive the public key.


Primitives

The standard defines several basic primitives. The primitive operations provide the fundamental instructions for turning the raw mathematical formulas into computable algorithms. * I2OSP – Integer to Octet String Primitive – Converts a (potentially very large) non-negative integer into a sequence of bytes (octet string). * OS2IP – Octet String to Integer Primitive – Interprets a sequence of bytes as a non-negative integer * RSAEP – RSA Encryption Primitive – Encrypts a message using a public key * RSADP – RSA Decryption Primitive – Decrypts ciphertext using a private key * RSASP1 – RSA Signature Primitive 1 – Creates a signature over a message using a private key * RSAVP1 – RSA Verification Primitive 1 – Verifies a signature is for a message using a public key


Schemes

By themselves the primitive operations do not necessarily provide any security. The concept of a cryptographic scheme is to define higher level algorithms or uses of the primitives so they achieve certain security goals. There are two schemes for encryption and decryption: * : older Encryption/decryption Scheme (ES) as first standardized in version 1.5 of PKCS #1. Known-vulnerable. * : improved ES; based on the optimal asymmetric encryption padding (OAEP) scheme proposed by Mihir Bellare and
Phillip Rogaway Phillip Rogaway (also referred to as Phil Rogaway) is an American cryptographer and former professor of computer science at the University of California, Davis. He graduated from Beverly Hills High School, and later earned a BA in computer scie ...
. Recommended for new applications. There are also two schemes for dealing with signatures: * : old Signature Scheme with Appendix (SSA) as first standardized in version 1.5 of PKCS #1. Unforgeable, according to Jager ''et al.'' (2018). * : improved SSA; based on the probabilistic signature scheme (PSS) originally invented by Bellare and Rogaway. Recommended for new applications. The two signature schemes make use of separately defined encoding methods: * : old encoding method for signature appendix (EMSA) as first standardized in version 1.5 of PKCS #1. * : improved EMSA, based on the probabilistic signature scheme. Recommended for new applications. The signature schemes are actually signatures ''with appendix'', which means that rather than signing some input data directly, a
hash function A hash function is any Function (mathematics), function that can be used to map data (computing), data of arbitrary size to fixed-size values, though there are some hash functions that support variable-length output. The values returned by a ...
is used first to produce an intermediary representation of the data, and then the result of the hash is signed. This technique is almost always used with RSA because the amount of data that can be directly signed is proportional to the size of the keys; which is almost always much smaller than the amount of data an application may wish to sign.


Version history

* Versions 1.1–1.3, February through March 1991, privately distributed. * Version 1.4, June 1991, published for NIST/OSI Implementors' Workshop. * Version 1.5, November 1993. First public publication. Republished as . * Version 2.0, September 1998. Republished as . Introduced the RSAEP-OAEP encryption scheme. * Version 2.1, June 2002. Republished as . Introduced multi-prime RSA and the RSASSA-PSS signature scheme * Version 2.2, October 2012. Republished as .


Implementations

Below is a list of cryptography libraries that provide support for PKCS#1: * Botan * Bouncy Castle * BSAFE * cryptlib *
Crypto++ Crypto++ (also known as CryptoPP, libcrypto++, and libcryptopp) is a free and open-source C++ class library of cryptographic algorithms and schemes written by Wei Dai. Crypto++ has been widely used in academia, student projects, open-source, and ...
* Libgcrypt *
mbed TLS Mbed TLS (previously PolarSSL) is an implementation of the Transport Layer Security, TLS and SSL protocols and the respective cryptographic algorithms and support code required. It is distributed under the Apache License version 2.0. Stated on t ...
*
Nettle Nettle refers to plants with stinging hairs, particularly those of the genus '' Urtica''. It can also refer to plants which resemble ''Urtica'' species in appearance but do not have stinging hairs. Plants called "nettle" include: * ball nettle ...
*
OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS web ...
* wolfCrypt


Attacks

Multiple attacks were discovered against PKCS #1 v1.5, specifically its padding scheme. In 1998, Daniel Bleichenbacher published a seminal paper on what became known as Bleichenbacher's attack (also known as "million message attack"). The attack uses the padding as an oracle. PKCS #1 was subsequently updated in the release 2.0 and patches were issued to users wishing to continue using the old version of the standard. However, the vulnerable padding scheme remains in use and has resulted in subsequent attacks: * Bardou ''et al.'' (2012) find that several models of PKCS 11 tokens still use the v1.5 padding scheme for RSA. They propose an improved version of Bleichenbacher's attack that requires fewer messages. As a result of this improvement, they managed to extract the secret key from several models in under an hour. They also show that the AES-CBC scheme is vulnerable to a different padding oracle attack. * Böck ''et al.'' (2018) report that many modern
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protoc ...
servers are vulnerable to a variation of the attack. TLS 1.2 contains anti-Bleichenbacher countermeasures, but the workarounds are not correctly implemented in many software due to their sheer complexity. In 2006, Bleichenbacher presented a new forgery attack against the signature scheme RSASSA-PKCS1-v1_5. Variants of this attack are reported in 2008 and 2014. This class of attack exploits a flawed implementation of the signature verification; a proper implementation would not be vulnerable.


See also

*
Comparison of cryptography libraries The tables below compare cryptography libraries that deal with cryptography algorithms and have ''application programming interface'' (API) function calls to each of the supported features. Cryptography libraries FIPS 140 This table denote ...


References


External links

* – PKCS #1: RSA Cryptography Specifications Version 2.2 * * {{Cryptography navbox Cryptography standards Digital signature schemes Digital Signature Standard