Current location - Quotes Website - Personality signature - What is the filling method of pkcs 1 in RSA?
What is the filling method of pkcs 1 in RSA?
1) RSA _ pkcs1_ padding mode, the most commonly used mode.

Requirements:

Input must be at least 1 1 bytes shorter than RSA key modulus, that is, RSA _ size(RSA)- 1 1.

If the input plaintext is too long, it must be cut and then filled in.

The output is as long as the modulus.

According to this requirement, for a key of 5 12bit, the block length is = 512/8–11= 53 bytes.

2)RSA _ pkcs 1 _ OAEP _ padding

RSA _ size(RSA)–4 1

3) Not filled for RSA_NO_PADDING.

RSA_size(rsa)

Generally speaking, we only use RSA to encrypt important data, such as AES key, 128bits = 16.

The encrypted output is always equal to the key length.

Encrypting the same data with the same key RSA will make the output different every time; But these encrypted results can be decrypted correctly.

—————

fundamental principle

I2osp-–Integer-to-Octal String Primitives Large integers are converted to byte strings.

I2OSP (x,xLen)

Input: x non-negative integers to be converted.

Possible length of xLen result byte string

————

Encryption principle RSAEP ((n, e), m)

Input: (n, e) RSA public key.

The value of m is a large integer between 0 and n- 1, which indicates a message.

Output: The value of c is a big integer between 0 and n- 1, which indicates ciphertext.

Assume that RSA public key (n, e) is valid.

Steps:

1. If m does not satisfy 0 2, let c = m^e% n (m the e power of m is divided by n, and the remainder is c).

3. Output c

Decryption principle RSADP (K, c)

Input: K RSA private key, where k is in the following form:

A pair of (n, d)

Quintuple (p, q, dP, dQ, qInv)

A possible empty ternary sequence (ri, di, ti), I = 3, ..., u.

C ciphertext

Output: m plaintext

Steps:

1. If ciphertext c does not satisfy 0.

2. Calculate m as follows:

A. if the first form (n, d) of the private key k is used, let m = c^d% n (c the d power of c is divided by n and the remainder is m).

B. if the second image of the private key k is (p, q, dP, dQ, qInv) and (ri, di, ti),

-

-

Encrypt RSA es-pkcs1-v1_ 5-encrypt ((n, e), m).

Input: (n, e) the public key of the receiver, where k represents the byte length occupied by n.

M the message to be encrypted, and mLen means the message length mlen ≤ k–11.

Output: c ciphertext, and the number of bytes occupied is also K.

Steps:

1. length check, if mlen >;; K- 1 1, output "message is too long"

2.EME-PKCS 1-v 1_5 coding.

A) generating a pseudo-random non-zero string PS with the length of k–mlen–3, so it is at least 8, because k–mlen >; 1 1

B) PS, M and other padding strings are encoded into EM with length k, that is:

EM = 0×00 || 0×02 || PS || 0×00 || M

3.RSA encryption

A) converting EM into a big certificate m

m = OS2IP(EM)

B) for the public key (n, e) and the big integer m, using RSAEP encryption principle, the integer ciphertext c is generated.

c = RSAEP((n,e0,m)

C) converting the integer c into a ciphertext string with a length of k

C = I2OSP(c,k)

4. output ciphertext c

—————-

Decrypt RSA ES-PKCS1-V1_ 5-decrypt (k, c).

The private key of the recipient.

C encrypted ciphertext string with length k (the same as RSA modulus n).

Output: m messages in plain text, with the maximum length of k- 1 1.

Steps:

1. length check: if the length of ciphertext c is not k bytes (or if k

2.RSA decryption

A, converting ciphertext c into a large integer C ..

c = OS2IP(C)

B. decrypt RSA private key (n, d) and ciphertext integer c to generate large integer m.

m = RSADP((n,d),c)

If RSADP outputs' ciphertext represents out of range' (indicating C >;; =n), output "Decryption Error".

C, converting m into an EM string with a length of k.

EM = I2OSP(m,k)

3.EME-PKCS 1-v 1_5 decoding: divide EM into non-zero PS string and message M.

EM = 0×00 || 0×02 || PS || 0×00 || M

If EM is not in the format given above, or the length of PS is less than 8 bytes, "Decryption Error" is output.

5. output plaintext message m.

——————–

Signature RSASSA-PSS- signature (k, m)

Enter the RSA private key of the k signer.

M generation signature message, a byte string

Output s signature, a byte string of length k, where k is the byte length of RSA modulus n.

Steps:

1.e MSA-PSS encoding: EMSA-PSS encoding operation is performed on the message M to generate an encoded message EM with the length of [(modBits-1)/8]. The bit length of integer OS2IP(EM) is at most modbits- 1, and modbits is the bit length of RSA modulus n.

EM = EMSA-PSS-ENCODE (M,mod bits– 1)

Note: If modBits- 1 is divisible by 8, the byte length of EM is smaller than k1; Otherwise, the length of EM bytes is k.

2.RSA signature:

A. the coded message EM is converted into a large integer m.

m = OS2IP(EM)

B, implementing RSASP 1 signature on the private key K and the message M, and generating a signature represented by a large integer S.

s = RSASP 1 (K,m)

C, converting a large integer s into a string signature s with a length of k.

S = I2OSP(s,k)

3. Output signature s

———–

Verification signature RSASSA-PSS- verification ((n, e), m, s).

Input: (n, e) signer's public key.

Message from m signer, a string.

The signature to verify, a string of length k. K is the length of RSA modulus n.

Output: "valid signature" or "invalid signature"

Steps:

1. length check: if the length of the signature s is not k, an' invalid signature' is output.

2.RSA authentication

A) converting the signature s into a large integer s

s = OS2IP (S)

B) the public key (n, e) and s are verified by RSAVP 1 to generate a large integer m.

m = RSAVP 1 ((n,e),s)

C) converting m into coded message EM with length emLen = [(modBits-1)/8] bytes. ModBits is the bit length of RSA modulus n.

EM = I2OSP (m,emLen)

Note: if modBits- 1 is divisible by 8, then emLen = k- 1, otherwise emLen = k.

3.e MSA-PSS verification: EMSA-PSS verification is performed on the message M and the encoded EM to determine whether they are consistent;

Result = EMSA-PSS- verification (m, EM, modbits–1)

4. If the result is = "consistent", output "valid signature"

Otherwise, output "invalid signature"

———–

Signature, you can also use EMSA-PKCS 1-V 1 _ 5 encoding method to generate EM:

EM = EMSA-pkcs 1-v 1 _ 5-ENCODE(M,k)

In order to verify the signature, EMSA-PKCS 1-v 1_5 is used to generate the second coded message EM' of M.

EM ' = EMSA-pkcs 1-v 1 _ 5-ENCODE(M,k)。

Then compare whether EM and EM' are the same.

———————

RSA has two encryption schemes: RSAES-OAEP and RSAES-PKCS 1-v 1_5. PKCS# 1 It is suggested to use RSAES- OAEP in new applications and keep RSA ES-PKCS #1-V1_ 5 compatible with old applications. The only difference between them is the way of encoding first and then encrypting. The purpose of encoding before encryption is to provide a security mechanism to resist malicious attacks of various activities.

There are also two schemes for the signature mechanism of PKCS# 1: RSASSA-PSS and rsassa-pkcs1-v1_ 5. Similarly, for new applications, it is recommended to use RSASSA-PSS, while for compatibility with old applications, it is recommended to use rSSASA-PKCS1-V1_ 5.

——————–

RSAES-OAEP encryption ((n, e), m, l)

Option: Hash hash function (hLen indicates the byte string length output by hash function)

MGF mask generation function

Input: (n, e) RSA public key of the receiver (k stands for byte length of RSA modulus n).

M message to be encrypted, a byte string mLen.

L optional label related to the message. If l is not provided, an empty string is used.

Output: c ciphertext, with a byte length of K.

Steps:

1. Length check

A. if the length of l exceeds the input limit of hash function (for SHA- 1, it is 2 6 1- 1), the output label is too long.

B.mlen & GTK–2hlen-2, the output message is too long.

2.EME-OAEP coding

To tell you the truth, I haven't understood it for a long time. . . . . . .