Cryptography Reference
In-Depth Information
length of the message in bytes. A hash function computes a message digest of fixed
length (e.g., 160 or 256 bit) for every input. More about hash functions is found
in Chap. 11. Furthermore, let
L
be an optional label associated with the message
(otherwise,
L
is an empty string as default). According to the most recent version
PKCS#1 (v2.1), padding a message within the RSA encryption scheme is done in
the following way:
1. Generate a string
PS
of length
k
−|
M
|−
2
|
H
|−
2 of zeroed bytes. The length of
PS
may be zero.
2. Concatenate
Hash
(
L
),
PS
, a single byte with hexadecimal value
0x01
, and the
message
M
to form a data block
DB
of length
k
−|
H
|−
1 bytes as
DB
=
Hash
(
L
)
||
PS
||
||
M
.
0x01
3. Generate a random byte string
seed
of length
|
H
|
.
4. Let
dbMask
=
MGF
(
seed
,
k
1), where
MGF
is the mask generation func-
tion. In practice, a hash function such as SHA-1 is often used as
MFG
.
5. Let
maskedDB
=
DB
−|
H
|−
⊕
dbMask
.
6. Let
seedMask
=
MGF
(
maskedDB
,
|
|
H
).
7. Let
maskedSeed
=
seed
seedMask
.
8. Concatenate a single byte with hexadecimal value
0x00
,
maskedSeed
and
maskedDB
to form an encoded message
EM
of length
k
bytes as
⊕
EM
=
0x00
||
maskedSeed
||
maskedDB
.
Figure 7.3 shows the structure of a padded message
M
.
seed
Hash(L)
|
PS
|
0x01
|
M
0x00
seedMask
dbMask
1
|H|
k−|H|−1
k
Fig. 7.3
RSA encryption of a message
M
with Optimal Asymmetric Encryption Padding (OAEP)
On the decryption side, the structure of the decrypted message has to be verified.
For instance, if there is no byte with hexadecimal value
0x01
to separate
PS
from
M
, a decryption error occurred. In any case, returning a decryption error to the user
(or a potential attacker!) should not reveal any information about the plaintext.