Cryptography Reference
In-Depth Information
length of the message in bytes. A hash function computes a message digest of fixed
length (e.g., 160 or 256 bit) for every input. More about hash functions is found
in Chap. 11. Furthermore, let L be an optional label associated with the message
(otherwise, L is an empty string as default). According to the most recent version
PKCS#1 (v2.1), padding a message within the RSA encryption scheme is done in
the following way:
1. Generate a string PS of length k
−|
M
|−
2
|
H
|−
2 of zeroed bytes. The length of
PS may be zero.
2. Concatenate Hash ( L ), PS , a single byte with hexadecimal value 0x01 , and the
message M to form a data block DB of length k
−|
H
|−
1 bytes as
DB = Hash ( L )
||
PS
||
||
M .
0x01
3. Generate a random byte string seed of length
|
H
|
.
4. Let dbMask = MGF ( seed , k
1), where MGF is the mask generation func-
tion. In practice, a hash function such as SHA-1 is often used as MFG .
5. Let maskedDB = DB
−|
H
|−
dbMask .
6. Let seedMask = MGF ( maskedDB ,
|
|
H
).
7. Let maskedSeed = seed
seedMask .
8. Concatenate a single byte with hexadecimal value 0x00 , maskedSeed and
maskedDB to form an encoded message EM of length k bytes as
EM = 0x00 ||
maskedSeed
||
maskedDB .
Figure 7.3 shows the structure of a padded message M .
seed
Hash(L)
|
PS
|
0x01
|
M
0x00
seedMask
dbMask
1
|H|
k−|H|−1
k
Fig. 7.3 RSA encryption of a message M with Optimal Asymmetric Encryption Padding (OAEP)
On the decryption side, the structure of the decrypted message has to be verified.
For instance, if there is no byte with hexadecimal value 0x01 to separate PS from
M , a decryption error occurred. In any case, returning a decryption error to the user
(or a potential attacker!) should not reveal any information about the plaintext.
 
Search WWH ::




Custom Search