Requirements:
Input must be at least 1 1 bytes shorter than RSA key modulus, that is, RSA _ size(RSA)- 1 1.
If the input plaintext is too long, it must be cut and then filled in.
The output is as long as the modulus.
According to this requirement, for a key of 5 12bit, the block length is = 512/8–11= 53 bytes.
2)RSA _ pkcs 1 _ OAEP _ padding
RSA _ size(RSA)–4 1
3) Not filled for RSA_NO_PADDING.
RSA_size(rsa)
Generally speaking, we only use RSA to encrypt important data, such as AES key, 128bits = 16.
The encrypted output is always equal to the key length.
Encrypting the same data with the same key RSA will make the output different every time; But these encrypted results can be decrypted correctly.
—————
fundamental principle
I2osp-–Integer-to-Octal String Primitives Large integers are converted to byte strings.
I2OSP (x,xLen)
Input: x non-negative integers to be converted.
Possible length of xLen result byte string
————
Encryption principle RSAEP ((n, e), m)
Input: (n, e) RSA public key.
The value of m is a large integer between 0 and n- 1, which indicates a message.
Output: The value of c is a big integer between 0 and n- 1, which indicates ciphertext.
Assume that RSA public key (n, e) is valid.
Steps:
1. If m does not satisfy 0 2, let c = m^e% n (m the e power of m is divided by n, and the remainder is c).
3. Output c
Decryption principle RSADP (K, c)
Input: K RSA private key, where k is in the following form:
A pair of (n, d)
Quintuple (p, q, dP, dQ, qInv)
A possible empty ternary sequence (ri, di, ti), I = 3, ..., u.
C ciphertext
Output: m plaintext
Steps:
1. If ciphertext c does not satisfy 0.
2. Calculate m as follows:
A. if the first form (n, d) of the private key k is used, let m = c^d% n (c the d power of c is divided by n and the remainder is m).
B. if the second image of the private key k is (p, q, dP, dQ, qInv) and (ri, di, ti),
-
-
Encrypt RSA es-pkcs1-v1_ 5-encrypt ((n, e), m).
Input: (n, e) the public key of the receiver, where k represents the byte length occupied by n.
M the message to be encrypted, and mLen means the message length mlen ≤ k–11.
Output: c ciphertext, and the number of bytes occupied is also K.
Steps:
1. length check, if mlen >;; K- 1 1, output "message is too long"
2.EME-PKCS 1-v 1_5 coding.
A) generating a pseudo-random non-zero string PS with the length of k–mlen–3, so it is at least 8, because k–mlen >; 1 1
B) PS, M and other padding strings are encoded into EM with length k, that is:
EM = 0×00 || 0×02 || PS || 0×00 || M
3.RSA encryption
A) converting EM into a big certificate m
m = OS2IP(EM)
B) for the public key (n, e) and the big integer m, using RSAEP encryption principle, the integer ciphertext c is generated.
c = RSAEP((n,e0,m)
C) converting the integer c into a ciphertext string with a length of k
C = I2OSP(c,k)
4. output ciphertext c
—————-
Decrypt RSA ES-PKCS1-V1_ 5-decrypt (k, c).
The private key of the recipient.
C encrypted ciphertext string with length k (the same as RSA modulus n).
Output: m messages in plain text, with the maximum length of k- 1 1.
Steps:
1. length check: if the length of ciphertext c is not k bytes (or if k
2.RSA decryption
A, converting ciphertext c into a large integer C ..
c = OS2IP(C)
B. decrypt RSA private key (n, d) and ciphertext integer c to generate large integer m.
m = RSADP((n,d),c)
If RSADP outputs' ciphertext represents out of range' (indicating C >;; =n), output "Decryption Error".
C, converting m into an EM string with a length of k.
EM = I2OSP(m,k)
3.EME-PKCS 1-v 1_5 decoding: divide EM into non-zero PS string and message M.
EM = 0×00 || 0×02 || PS || 0×00 || M
If EM is not in the format given above, or the length of PS is less than 8 bytes, "Decryption Error" is output.
5. output plaintext message m.
——————–
Signature RSASSA-PSS- signature (k, m)
Enter the RSA private key of the k signer.
M generation signature message, a byte string
Output s signature, a byte string of length k, where k is the byte length of RSA modulus n.
Steps:
1.e MSA-PSS encoding: EMSA-PSS encoding operation is performed on the message M to generate an encoded message EM with the length of [(modBits-1)/8]. The bit length of integer OS2IP(EM) is at most modbits- 1, and modbits is the bit length of RSA modulus n.
EM = EMSA-PSS-ENCODE (M,mod bits– 1)
Note: If modBits- 1 is divisible by 8, the byte length of EM is smaller than k1; Otherwise, the length of EM bytes is k.
2.RSA signature:
A. the coded message EM is converted into a large integer m.
m = OS2IP(EM)
B, implementing RSASP 1 signature on the private key K and the message M, and generating a signature represented by a large integer S.
s = RSASP 1 (K,m)
C, converting a large integer s into a string signature s with a length of k.
S = I2OSP(s,k)
3. Output signature s
———–
Verification signature RSASSA-PSS- verification ((n, e), m, s).
Input: (n, e) signer's public key.
Message from m signer, a string.
The signature to verify, a string of length k. K is the length of RSA modulus n.
Output: "valid signature" or "invalid signature"
Steps:
1. length check: if the length of the signature s is not k, an' invalid signature' is output.
2.RSA authentication
A) converting the signature s into a large integer s
s = OS2IP (S)
B) the public key (n, e) and s are verified by RSAVP 1 to generate a large integer m.
m = RSAVP 1 ((n,e),s)
C) converting m into coded message EM with length emLen = [(modBits-1)/8] bytes. ModBits is the bit length of RSA modulus n.
EM = I2OSP (m,emLen)
Note: if modBits- 1 is divisible by 8, then emLen = k- 1, otherwise emLen = k.
3.e MSA-PSS verification: EMSA-PSS verification is performed on the message M and the encoded EM to determine whether they are consistent;
Result = EMSA-PSS- verification (m, EM, modbits–1)
4. If the result is = "consistent", output "valid signature"
Otherwise, output "invalid signature"
———–
Signature, you can also use EMSA-PKCS 1-V 1 _ 5 encoding method to generate EM:
EM = EMSA-pkcs 1-v 1 _ 5-ENCODE(M,k)
In order to verify the signature, EMSA-PKCS 1-v 1_5 is used to generate the second coded message EM' of M.
EM ' = EMSA-pkcs 1-v 1 _ 5-ENCODE(M,k)。
Then compare whether EM and EM' are the same.
———————
RSA has two encryption schemes: RSAES-OAEP and RSAES-PKCS 1-v 1_5. PKCS# 1 It is suggested to use RSAES- OAEP in new applications and keep RSA ES-PKCS #1-V1_ 5 compatible with old applications. The only difference between them is the way of encoding first and then encrypting. The purpose of encoding before encryption is to provide a security mechanism to resist malicious attacks of various activities.
There are also two schemes for the signature mechanism of PKCS# 1: RSASSA-PSS and rsassa-pkcs1-v1_ 5. Similarly, for new applications, it is recommended to use RSASSA-PSS, while for compatibility with old applications, it is recommended to use rSSASA-PKCS1-V1_ 5.
——————–
RSAES-OAEP encryption ((n, e), m, l)
Option: Hash hash function (hLen indicates the byte string length output by hash function)
MGF mask generation function
Input: (n, e) RSA public key of the receiver (k stands for byte length of RSA modulus n).
M message to be encrypted, a byte string mLen.
L optional label related to the message. If l is not provided, an empty string is used.
Output: c ciphertext, with a byte length of K.
Steps:
1. Length check
A. if the length of l exceeds the input limit of hash function (for SHA- 1, it is 2 6 1- 1), the output label is too long.
B.mlen & GTK–2hlen-2, the output message is too long.
2.EME-OAEP coding
To tell you the truth, I haven't understood it for a long time. . . . . . .