Network Working Group B. Kaliski
Request for Comments: 2313 RSA Laboratories East
Category: Informational March 1998
Network Working Group B. Kaliski
Request for Comments: 2313 RSA Laboratories East
Category: Informational March 1998
PKCS #1: RSA Encryption Version 1.5
PKCS#1:RSA加密版本1.5
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
Overview
概述
This document describes a method for encrypting data using the RSA public-key cryptosystem.
本文档描述了使用RSA公钥密码系统加密数据的方法。
This document describes a method for encrypting data using the RSA public-key cryptosystem. Its intended use is in the construction of digital signatures and digital envelopes, as described in PKCS #7:
本文档描述了使用RSA公钥密码系统加密数据的方法。其预期用途是构建数字签名和数字信封,如PKCS#7:
o For digital signatures, the content to be signed is first reduced to a message digest with a message-digest algorithm (such as MD5), and then an octet string containing the message digest is encrypted with the RSA private key of the signer of the content. The content and the encrypted message digest are represented together according to the syntax in PKCS #7 to yield a digital signature. This application is compatible with Privacy-Enhanced Mail (PEM) methods.
o 对于数字签名,首先使用消息摘要算法(如MD5)将要签名的内容缩减为消息摘要,然后使用内容签名者的RSA私钥对包含消息摘要的八位字节字符串进行加密。内容和加密消息摘要根据PKCS#7中的语法一起表示,以生成数字签名。此应用程序与隐私增强邮件(PEM)方法兼容。
o For digital envelopes, the content to be enveloped is first encrypted under a content-encryption key with a content-encryption algorithm (such as DES), and then the content-encryption key is encrypted with the RSA public keys of the recipients of the content. The encrypted content and the encrypted
o 对于数字信封,首先使用内容加密算法(如DES)在内容加密密钥下对要封装的内容进行加密,然后使用内容接收方的RSA公钥对内容加密密钥进行加密。加密的内容和加密的
content-encryption key are represented together according to the syntax in PKCS #7 to yield a digital envelope. This application is also compatible with PEM methods.
内容加密密钥根据PKCS#7中的语法一起表示,以生成数字信封。该应用程序也与PEM方法兼容。
The document also describes a syntax for RSA public keys and private keys. The public-key syntax would be used in certificates; the private-key syntax would be used typically in PKCS #8 private-key information. The public-key syntax is identical to that in both X.509 and Privacy-Enhanced Mail. Thus X.509/PEM RSA keys can be used in this document.
本文档还描述了RSA公钥和私钥的语法。公钥语法将用于证书中;私钥语法通常用于PKCS#8私钥信息。公钥语法与X.509和隐私增强邮件中的相同。因此,本文档中可以使用X.509/PEM RSA密钥。
The document also defines three signature algorithms for use in signing X.509/PEM certificates and certificate-revocation lists, PKCS #6 extended certificates, and other objects employing digital signatures such as X.401 message tokens.
该文档还定义了三种签名算法,用于签名X.509/PEM证书和证书吊销列表、PKCS#6扩展证书以及使用数字签名(如X.401消息令牌)的其他对象。
Details on message-digest and content-encryption algorithms are outside the scope of this document, as are details on sources of the pseudorandom bits required by certain methods in this document.
关于消息摘要和内容加密算法的详细信息不在本文档范围内,关于本文档中某些方法所需的伪随机比特源的详细信息也不在本文档范围内。
FIPS PUB 46-1 National Bureau of Standards. FIPS PUB 46-1: Data Encryption Standard. January 1988.
FIPS PUB 46-1国家标准局。FIPS PUB 46-1:数据加密标准。1988年1月。
PKCS #6 RSA Laboratories. PKCS #6: Extended-Certificate Syntax. Version 1.5, November 1993.
PKCS#6 RSA实验室。PKCS#6:扩展证书语法。1.5版,1993年11月。
PKCS #7 RSA Laboratories. PKCS #7: Cryptographic Message Syntax. Version 1.5, November 1993.
PKCS#7 RSA实验室。PKCS#7:加密消息语法。1.5版,1993年11月。
PKCS #8 RSA Laboratories. PKCS #8: Private-Key Information Syntax. Version 1.2, November 1993.
PKCS#8 RSA实验室。PKCS#8:私钥信息语法。1.2版,1993年11月。
RFC 1319 Kaliski, B., "The MD2 Message-Digest Algorithm," RFC 1319, April 1992.
RFC 1319 Kaliski,B.,“MD2消息摘要算法”,RFC 1319,1992年4月。
RFC 1320 Rivest, R., "The MD4 Message-Digest Algorithm," RFC 1320, April 1992.
RFC 1320 Rivest,R.,“MD4消息摘要算法”,RFC 1320,1992年4月。
RFC 1321 Rivest, R., "The MD5 Message-Digest Algorithm," RFC 1321, April 1992.
RFC 1321 Rivest,R.,“MD5消息摘要算法”,RFC 1321,1992年4月。
RFC 1423 Balenson, D., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers," RFC 1423, February 1993.
RFC 1423 Balenson,D.,“互联网电子邮件的隐私增强:第三部分:算法、模式和标识符”,RFC 1423,1993年2月。
X.208 CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.
X.208 CCITT。建议X.208:抽象语法符号1(ASN.1)的规范。1988
X.209 CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1). 1988.
X.209 CCITT。建议X.209:抽象语法符号1(ASN.1)的基本编码规则规范。1988
X.411 CCITT. Recommendation X.411: Message Handling Systems: Message Transfer System: Abstract Service Definition and Procedures.1988.
X.411 CCITT。建议X.411:消息处理系统:消息传输系统:抽象服务定义和过程。1988年。
X.509 CCITT. Recommendation X.509: The Directory-- Authentication Framework. 1988.
X.509 CCITT。建议X.509:目录--身份验证框架。1988
[dBB92] B. den Boer and A. Bosselaers. An attack on the
last two rounds of MD4. In J. Feigenbaum, editor,
Advances in Cryptology---CRYPTO '91 Proceedings,
volume 576 of Lecture Notes in Computer Science,
pages 194-203. Springer-Verlag, New York, 1992.
[dBB92] B. den Boer and A. Bosselaers. An attack on the
last two rounds of MD4. In J. Feigenbaum, editor,
Advances in Cryptology---CRYPTO '91 Proceedings,
volume 576 of Lecture Notes in Computer Science,
pages 194-203. Springer-Verlag, New York, 1992.
[dBB93] B. den Boer and A. Bosselaers. Collisions for the compression function of MD5. Presented at EUROCRYPT '93 (Lofthus, Norway, May 24-27, 1993).
[dBB93]B.den Boer和A.Bosselaers。MD5压缩功能的冲突。1993年5月24日至27日在挪威洛夫图斯的EUROCRYPT’93上展出。
[DO86] Y. Desmedt and A.M. Odlyzko. A chosen text attack
on the RSA cryptosystem and some discrete
logarithm schemes. In H.C. Williams, editor,
Advances in Cryptology---CRYPTO '85 Proceedings,
volume 218 of Lecture Notes in Computer Science,
pages 516-521. Springer-Verlag, New York, 1986.
[DO86] Y. Desmedt and A.M. Odlyzko. A chosen text attack
on the RSA cryptosystem and some discrete
logarithm schemes. In H.C. Williams, editor,
Advances in Cryptology---CRYPTO '85 Proceedings,
volume 218 of Lecture Notes in Computer Science,
pages 516-521. Springer-Verlag, New York, 1986.
[Has88] Johan Hastad. Solving simultaneous modular equations. SIAM Journal on Computing, 17(2):336-341, April 1988.
约翰·哈斯塔德。求解联立模方程组。暹罗计算杂志,17(2):336-3411988年4月。
[IM90] Colin I'Anson and Chris Mitchell. Security defects in CCITT Recommendation X.509--The directory authentication framework. Computer Communications Review, :30-34, April 1990.
[IM90]科林·伊安森和克里斯·米切尔。CCITT建议X.509——目录认证框架中的安全缺陷。《计算机通信评论》,1990年4月30日至34日。
[Mer90] R.C. Merkle. Note on MD4. Unpublished manuscript, 1990.
[Mer90]R.C.Merkle。关于MD4的说明。未出版的手稿,1990年。
[Mil76] G.L. Miller. Riemann's hypothesis and tests for primality. Journal of Computer and Systems Sciences, 13(3):300-307, 1976.
[Mil76]G.L.米勒。黎曼假设和素性检验。计算机与系统科学杂志,13(3):300-3071976。
[QC82] J.-J. Quisquater and C. Couvreur. Fast decipherment algorithm for RSA public-key cryptosystem. Electronics Letters, 18(21):905-907, October 1982.
[QC82]J.-J.奎斯夸特和C.库夫勒。RSA公钥密码体制的快速解密算法。《电子通讯》,18(21):905-907,1982年10月。
[RSA78] R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120-126, February 1978.
[RSA78]R.L.Rivest、A.Shamir和L.Adleman。一种获取数字签名和公钥密码系统的方法。ACM的来文,21(2):120-126,1978年2月。
For the purposes of this document, the following definitions apply.
在本文件中,以下定义适用。
AlgorithmIdentifier: A type that identifies an algorithm (by object identifier) and associated parameters. This type is defined in X.509.
AlgorithmIdentifier:识别算法(通过对象标识符)和相关参数的类型。该类型在X.509中定义。
ASN.1: Abstract Syntax Notation One, as defined in X.208.
ASN.1:抽象语法符号1,如X.208中所定义。
BER: Basic Encoding Rules, as defined in X.209.
BER:基本编码规则,如X.209中所定义。
DES: Data Encryption Standard, as defined in FIPS PUB 46-1.
DES:FIPS PUB 46-1中定义的数据加密标准。
MD2: RSA Data Security, Inc.'s MD2 message-digest algorithm, as defined in RFC 1319.
MD2:RSA Data Security,Inc.的MD2消息摘要算法,定义见RFC 1319。
MD4: RSA Data Security, Inc.'s MD4 message-digest algorithm, as defined in RFC 1320.
MD4:RSA Data Security,Inc.的MD4消息摘要算法,定义见RFC 1320。
MD5: RSA Data Security, Inc.'s MD5 message-digest algorithm, as defined in RFC 1321.
MD5:RSA Data Security,Inc.的MD5消息摘要算法,定义见RFC 1321。
modulus: Integer constructed as the product of two primes.
模:由两个素数的乘积构成的整数。
PEM: Internet Privacy-Enhanced Mail, as defined in RFC 1423 and related documents.
PEM:互联网隐私增强邮件,如RFC 1423和相关文件中所定义。
RSA: The RSA public-key cryptosystem, as defined in [RSA78].
RSA:RSA公钥密码系统,定义见[RSA78]。
private key: Modulus and private exponent.
私钥:模数和私钥指数。
public key: Modulus and public exponent.
公钥:模和公钥指数。
Upper-case symbols (e.g., BT) denote octet strings and bit strings (in the case of the signature S); lower-case symbols (e.g., c) denote integers.
大写符号(例如BT)表示八位字符串和位字符串(在签名S的情况下);小写符号(例如c)表示整数。
ab hexadecimal octet value c exponent BT block type d private exponent D data e public exponent EB encryption block k length of modulus in octets ED encrypted data n modulus M message p, q prime factors of modulus MD message digest x integer encryption block MD' comparative message y integer encrypted data digest PS padding string mod n modulo n S signature X || Y concatenation of X, Y ||X|| length in octets of X 5. General overview
ab十六进制八位字节值c指数BT块类型d专用指数d数据e公用指数EB加密块k八位字节模数长度ED加密数据n模数M消息p,q模素数MD消息摘要x整数加密块MD'比较消息y整数加密数据摘要PS填充字符串mod n模n S签名x | | | y x | |长度以x 5的八位字节串联。概述
The next six sections specify key generation, key syntax, the encryption process, the decryption process, signature algorithms, and object identifiers.
接下来的六个部分指定密钥生成、密钥语法、加密过程、解密过程、签名算法和对象标识符。
Each entity shall generate a pair of keys: a public key and a private key. The encryption process shall be performed with one of the keys and the decryption process shall be performed with the other key. Thus the encryption process can be either a public-key operation or a private-key operation, and so can the decryption process. Both processes transform an octet string to another octet string. The processes are inverses of each other if one process uses an entity's public key and the other process uses the same entity's private key.
每个实体应生成一对密钥:公钥和私钥。应使用其中一个密钥执行加密过程,使用另一个密钥执行解密过程。因此,加密过程可以是公钥操作或私钥操作,解密过程也可以是公钥操作。两个进程都将一个八位字符串转换为另一个八位字符串。如果一个进程使用实体的公钥,而另一个进程使用同一实体的私钥,则这些进程彼此相反。
The encryption and decryption processes can implement either the classic RSA transformations, or variations with padding.
加密和解密过程可以实现经典的RSA转换,也可以实现带有填充的变体。
This section describes RSA key generation.
本节介绍RSA密钥生成。
Each entity shall select a positive integer e as its public exponent.
每个实体应选择一个正整数e作为其公共指数。
Each entity shall privately and randomly select two distinct odd primes p and q such that (p-1) and e have no common divisors, and (q-1) and e have no common divisors.
每个实体应私下随机选择两个不同的奇数素数p和q,使(p-1)和e没有公约数,(q-1)和e没有公约数。
The public modulus n shall be the product of the private prime factors p and q:
公共模量n应为私有素数因子p和q的乘积:
n = pq .
n=pq。
The private exponent shall be a positive integer d such that de-1 is divisible by both p-1 and q-1.
私有指数应为正整数d,使得de-1可被p-1和q-1整除。
The length of the modulus n in octets is the integer k satisfying
以八位字节表示的模n的长度是整数k
2^(8(k-1)) <= n < 2^(8k) .
2^(8(k-1))<=n<2^(8k)。
The length k of the modulus must be at least 12 octets to accommodate the block formats in this document (see Section 8).
模数的长度k必须至少为12个八位字节,以适应本文件中的块格式(见第8节)。
Notes.
笔记。
1. The public exponent may be standardized in specific applications. The values 3 and F4 (65537) may have some practical advantages, as noted in X.509 Annex C.
1. 公共指数可在特定应用中标准化。如X.509附录C所述,值3和F4(65537)可能具有一些实际优势。
2. Some additional conditions on the choice of primes may well be taken into account in order to deter factorization of the modulus. These security conditions fall outside the scope of this document. The lower bound on the length k is to accommodate the block formats, not for security.
2. 为了确定模的因式分解,可以考虑选择素数的一些附加条件。这些安全条件不属于本文件的范围。长度k的下限是为了适应块格式,而不是为了安全。
This section gives the syntax for RSA public and private keys.
本节给出RSA公钥和私钥的语法。
An RSA public key shall have ASN.1 type RSAPublicKey:
RSA公钥应具有ASN.1类型的RSA公钥:
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e }
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e }
(This type is specified in X.509 and is retained here for compatibility.)
(此类型在X.509中指定,并保留在此处以实现兼容性。)
The fields of type RSAPublicKey have the following meanings:
RSAPublicKey类型的字段具有以下含义:
o modulus is the modulus n.
o 模数是模数n。
o publicExponent is the public exponent e.
o publicExponent是公共指数e。
An RSA private key shall have ASN.1 type RSAPrivateKey:
RSA私钥应具有ASN.1类型的RSA私钥:
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER -- (inverse of q) mod p }
RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER -- (inverse of q) mod p }
Version ::= INTEGER
Version ::= INTEGER
The fields of type RSAPrivateKey have the following meanings:
RSAPrivateKey类型的字段具有以下含义:
o version is the version number, for compatibility with future revisions of this document. It shall be 0 for this version of the document.
o 版本是版本号,用于与本文档的未来版本兼容。此版本的文件应为0。
o modulus is the modulus n.
o 模数是模数n。
o publicExponent is the public exponent e.
o publicExponent是公共指数e。
o privateExponent is the private exponent d.
o privateExponent是私有指数d。
o prime1 is the prime factor p of n.
o prime1是n的素因子p。
o prime2 is the prime factor q of n.
o prime2是n的素因子q。
o exponent1 is d mod (p-1).
o 指数1是d模(p-1)。
o exponent2 is d mod (q-1).
o 指数2是d模(q-1)。
o coefficient is the Chinese Remainder Theorem coefficient q-1 mod p.
o 系数是中国剩余定理系数q-1 mod p。
Notes.
笔记。
1. An RSA private key logically consists of only the modulus n and the private exponent d. The presence of the values p, q, d mod (p-1), d mod (p-1), and q-1 mod p is intended for efficiency, as Quisquater and Couvreur have shown [QC82]. A private-key syntax that does not include
1. RSA私钥在逻辑上仅由模n和私钥指数d组成。值p、q、d mod(p-1)、d mod(p-1)和q-1 mod p的存在是为了提高效率,如Quisquater和Couvreur所示[QC82]。一种私钥语法,不包括
all the extra values can be converted readily to the syntax defined here, provided the public key is known, according to a result by Miller [Mil76].
根据Miller[Mil76]的结果,只要公钥已知,所有额外值都可以很容易地转换为此处定义的语法。
2. The presence of the public exponent e is intended to make it straightforward to derive a public key from the private key.
2. 公开指数e的存在旨在使从私钥导出公开密钥变得简单。
This section describes the RSA encryption process.
本节介绍RSA加密过程。
The encryption process consists of four steps: encryption- block formatting, octet-string-to-integer conversion, RSA computation, and integer-to-octet-string conversion. The input to the encryption process shall be an octet string D, the data; an integer n, the modulus; and an integer c, the exponent. For a public-key operation, the integer c shall be an entity's public exponent e; for a private-key operation, it shall be an entity's private exponent d. The output from the encryption process shall be an octet string ED, the encrypted data.
加密过程包括四个步骤:加密-块格式化、八位字符串到整数的转换、RSA计算和整数到八位字符串的转换。加密过程的输入应为八位字节字符串D,即数据;一个整数n,模数;一个整数c,指数。对于公钥操作,整数c应为实体的公钥指数e;对于私钥操作,应为实体的私钥指数d。加密过程的输出应为八位字节字符串,即加密数据。
The length of the data D shall not be more than k-11 octets, which is positive since the length k of the modulus is at least 12 octets. This limitation guarantees that the length of the padding string PS is at least eight octets, which is a security condition.
数据D的长度不得超过k-11个八位字节,这是正的,因为模数的长度k至少为12个八位字节。此限制保证填充字符串PS的长度至少为八个八位字节,这是一个安全条件。
Notes.
笔记。
1. In typical applications of this document to encrypt content-encryption keys and message digests, one would have ||D|| <= 30. Thus the length of the RSA modulus will need to be at least 328 bits (41 octets), which is reasonable and consistent with security recommendations.
1. 在本文档用于加密内容加密密钥和消息摘要的典型应用程序中,其中| | D |<=30。因此,RSA模的长度至少需要328位(41个八位字节),这是合理的,并且符合安全建议。
2. The encryption process does not provide an explicit integrity check to facilitate error detection should the encrypted data be corrupted in transmission. However, the structure of the encryption block guarantees that the probability that corruption is undetected is less than 2-16, which is an upper bound on the probability that a random encryption block looks like block type 02.
2. 加密过程不提供明确的完整性检查,以便于在传输过程中加密数据损坏时进行错误检测。然而,加密块的结构保证未检测到损坏的概率小于2-16,这是随机加密块看起来像块类型02的概率上限。
3. Application of private-key operations as defined here to data other than an octet string containing a message digest is not recommended and is subject to further study.
3. 不建议将此处定义的私钥操作应用于包含消息摘要的八位字节字符串以外的数据,这有待进一步研究。
4. This document may be extended to handle data of length more than k-11 octets.
4. 本文件可扩展为处理长度超过k-11八位字节的数据。
A block type BT, a padding string PS, and the data D shall be formatted into an octet string EB, the encryption block.
块类型BT、填充字符串PS和数据D应格式化为八位字节字符串EB,即加密块。
EB = 00 || BT || PS || 00 || D . (1)
EB=00 | BT | PS | 00 | D。(1)
The block type BT shall be a single octet indicating the structure of the encryption block. For this version of the document it shall have value 00, 01, or 02. For a private- key operation, the block type shall be 00 or 01. For a public-key operation, it shall be 02.
块类型BT应为单个八位字节,表示加密块的结构。对于本版本的文件,其值应为00、01或02。对于私钥操作,块类型应为00或01。对于公钥操作,应为02。
The padding string PS shall consist of k-3-||D|| octets. For block type 00, the octets shall have value 00; for block type 01, they shall have value FF; and for block type 02, they shall be pseudorandomly generated and nonzero. This makes the length of the encryption block EB equal to k.
填充字符串PS应由k-3-| | D | |八位字节组成。对于块类型00,八位字节的值应为00;对于01型块,其值应为FF;对于块类型02,它们应为伪随机生成且非零。这使得加密块EB的长度等于k。
Notes.
笔记。
1. The leading 00 octet ensures that the encryption block, converted to an integer, is less than the modulus.
1. 前导的00八位字节确保转换为整数的加密块小于模数。
2. For block type 00, the data D must begin with a nonzero octet or have known length so that the encryption block can be parsed unambiguously. For block types 01 and 02, the encryption block can be parsed unambiguously since the padding string PS contains no octets with value 00 and the padding string is separated from the data D by an octet with value 00.
2. 对于块类型00,数据D必须以非零八位字节开头或具有已知长度,以便可以明确地解析加密块。对于块类型01和02,可以明确地解析加密块,因为填充字符串PS不包含值为00的八位字节,并且填充字符串与数据D之间由值为00的八位字节分隔。
3. Block type 01 is recommended for private-key operations. Block type 01 has the property that the encryption block, converted to an integer, is guaranteed to be large, which prevents certain attacks of the kind proposed by Desmedt and Odlyzko [DO86].
3. 对于私钥操作,建议使用块类型01。块类型01的特性是,转换为整数的加密块保证是大的,这可以防止Desmedt和Odlyzko[DO86]提出的某种攻击。
4. Block types 01 and 02 are compatible with PEM RSA encryption of content-encryption keys and message digests as described in RFC 1423.
4. 块类型01和02与内容加密密钥和消息摘要的PEM RSA加密兼容,如RFC 1423所述。
5. For block type 02, it is recommended that the pseudorandom octets be generated independently for each encryption process, especially if the same data is input to more than one encryption process. Hastad's results [Has88] motivate this recommendation.
5. 对于块类型02,建议为每个加密过程独立生成伪随机八位字节,尤其是当相同数据输入到多个加密过程时。哈斯塔德的结果[Has88]激发了这一建议。
6. For block type 02, the padding string is at least eight octets long, which is a security condition for public-key operations that prevents an attacker from recoving data by trying all possible encryption blocks. For simplicity, the minimum length is the same for block type 01.
6. 对于块类型02,填充字符串至少有八个八位字节长,这是公钥操作的安全条件,可防止攻击者通过尝试所有可能的加密块来重新编码数据。为简单起见,块类型01的最小长度相同。
7. This document may be extended in the future to include other block types.
7. 本文档将来可能会扩展,以包括其他块类型。
The encryption block EB shall be converted to an integer x, the integer encryption block. Let EB1, ..., EBk be the octets of EB from first to last. Then the integer x shall satisfy
加密块EB应转换为整数x,即整数加密块。设EB1,…,EBk是EB从头到尾的八位字节。那么整数x应满足
k x = SUM 2^(8(k-i)) EBi . (2) i = 1
kx=息税前利润总额2^(8(k-i))。(2) i=1
In other words, the first octet of EB has the most significance in the integer and the last octet of EB has the least significance.
换言之,EB的第一个八位元在整数中的重要性最高,而EB的最后一个八位元的重要性最低。
Note. The integer encryption block x satisfies 0 <= x < n since EB1 = 00 and 2^(8(k-1)) <= n.
笔记整数加密块x满足0<=x<n,因为EB1=00和2^(8(k-1))<=n。
The integer encryption block x shall be raised to the power c modulo n to give an integer y, the integer encrypted data.
整数加密块x应提升到幂c模n,以给出整数y,即整数加密数据。
y = x^c mod n, 0 <= y < n .
y=x^c模n,0<=y<n。
This is the classic RSA computation.
这是经典的RSA计算。
The integer encrypted data y shall be converted to an octet string ED of length k, the encrypted data. The encrypted data ED shall satisfy
整数加密数据y应转换为长度为k的八位字节字符串ED,即加密数据。加密数据应满足以下要求:
k y = SUM 2^(8(k-i)) EDi . (3) i = 1
ky=总和2^(8(k-i))EDi。(3) i=1
where ED1, ..., EDk are the octets of ED from first to last.
其中ED1,…,EDk是ED从第一个到最后的八位字节。
In other words, the first octet of ED has the most significance in the integer and the last octet of ED has the least significance.
换言之,ED的第一个八位元在整数中的意义最大,而ED的最后一个八位元的意义最小。
This section describes the RSA decryption process.
本节介绍RSA解密过程。
The decryption process consists of four steps: octet-string-to-integer conversion, RSA computation, integer-to-octet-string conversion, and encryption-block parsing. The input to the decryption process shall be an octet string ED, the encrypted data; an integer n, the modulus; and an integer c, the exponent. For a public-key operation, the integer c shall be an entity's public exponent e; for a private-key operation, it shall be an entity's private exponent d. The output from the decryption process shall be an octet string D, the data.
解密过程包括四个步骤:八位字符串到整数的转换、RSA计算、整数到八位字符串的转换和加密块解析。解密过程的输入应为加密数据的八位字节字符串;一个整数n,模数;一个整数c,指数。对于公钥操作,整数c应为实体的公钥指数e;对于私钥操作,应为实体的私钥指数d。解密过程的输出应为八位字节字符串D,即数据。
It is an error if the length of the encrypted data ED is not k.
如果加密数据ED的长度不是k,则为错误。
For brevity, the decryption process is described in terms of the encryption process.
为简洁起见,将根据加密过程描述解密过程。
The encrypted data ED shall be converted to an integer y, the integer encrypted data, according to Equation (3).
加密数据ED应根据方程式(3)转换为整数y,即整数加密数据。
It is an error if the integer encrypted data y does not satisfy 0 <= y < n.
如果整数加密数据y不满足0<=y<n,则为错误。
The integer encrypted data y shall be raised to the power c modulo n to give an integer x, the integer encryption block.
整数加密数据y应提升到c模n的幂,以给出整数x,即整数加密块。
x = y^c mod n, 0 <= x < n .
x=y^c模n,0<=x<n。
This is the classic RSA computation.
这是经典的RSA计算。
The integer encryption block x shall be converted to an octet string EB of length k, the encryption block, according to Equation (2).
根据等式(2),整数加密块x应转换为长度为k的八位字节字符串EB,即加密块。
The encryption block EB shall be parsed into a block type BT, a padding string PS, and the data D according to Equation (1).
加密块EB应根据等式(1)解析为块类型BT、填充字符串PS和数据D。
It is an error if any of the following conditions occurs:
如果出现以下任一情况,则为错误:
o The encryption block EB cannot be parsed unambiguously (see notes to Section 8.1).
o 无法明确解析加密块EB(参见第8.1节的注释)。
o The padding string PS consists of fewer than eight octets, or is inconsistent with the block type BT.
o 填充字符串PS包含少于八个八位字节,或者与块类型BT不一致。
o The decryption process is a public-key operation and the block type BT is not 00 or 01, or the decryption process is a private-key operation and the block type is not 02.
o 解密过程是公钥操作且块类型BT不是00或01,或者解密过程是私钥操作且块类型不是02。
This section defines three signature algorithms based on the RSA encryption process described in Sections 8 and 9. The intended use of the signature algorithms is in signing X.509/PEM certificates and certificate-revocation lists, PKCS #6 extended certificates, and other objects employing digital signatures such as X.401 message tokens. The algorithms are not intended for use in constructing digital signatures in PKCS #7. The first signature algorithm (informally, "MD2 with RSA") combines the MD2 message-digest algorithm with RSA, the second (informally, "MD4 with RSA") combines the MD4 message-digest algorithm with RSA, and the third (informally, "MD5 with RSA") combines the MD5 message-digest algorithm with RSA.
本节根据第8节和第9节中描述的RSA加密过程定义了三种签名算法。签名算法的预期用途是签名X.509/PEM证书和证书撤销列表、PKCS#6扩展证书以及使用数字签名(如X.401消息令牌)的其他对象。这些算法不适用于在PKCS#7中构造数字签名。第一个签名算法(非正式地称为“MD2与RSA”)将MD2消息摘要算法与RSA相结合,第二个签名算法(非正式地称为“MD4与RSA”)将MD4消息摘要算法与RSA相结合,第三个签名算法(非正式地称为“MD5与RSA”)将MD5消息摘要算法与RSA相结合。
This section describes the signature process and the verification process for the two algorithms. The "selected" message-digest algorithm shall be either MD2 or MD5, depending on the signature algorithm. The signature process shall be performed with an entity's private key and the verification process shall be performed with an entity's public key. The signature process transforms an octet string (the message) to a bit string (the signature); the verification process determines whether a bit string (the signature) is the signature of an octet string (the message).
本节介绍两种算法的签名过程和验证过程。“选定”消息摘要算法应为MD2或MD5,具体取决于签名算法。签名过程应使用实体的私钥执行,验证过程应使用实体的公钥执行。签名过程将八位字符串(消息)转换为位字符串(签名);验证过程确定位字符串(签名)是否为八位字符串(消息)的签名。
Note. The only difference between the signature algorithms defined here and one of the the methods by which signatures (encrypted message digests) are constructed in PKCS #7 is that signatures here are represented here as bit strings, for consistency with the X.509 SIGNED macro. In PKCS #7 encrypted message digests are octet strings.
笔记这里定义的签名算法和PKCS#7中构造签名(加密消息摘要)的方法之一之间的唯一区别在于,为了和X.509签名宏保持一致,这里的签名表示为位字符串。在PKCS#7中,加密消息摘要是八位字节字符串。
The signature process consists of four steps: message digesting, data encoding, RSA encryption, and octet-string-to-bit-string conversion. The input to the signature process shall be an octet string M, the message; and a signer's private key. The output from the signature process shall be a bit string S, the signature.
签名过程包括四个步骤:消息摘要、数据编码、RSA加密和八位字符串到位字符串的转换。签名过程的输入应为八位字节字符串M,即消息;和签名者的私钥。签名过程的输出应为位字符串S,即签名。
The message M shall be digested with the selected message- digest algorithm to give an octet string MD, the message digest.
应使用选定的消息摘要算法对消息M进行摘要,以给出八位字节字符串MD,即消息摘要。
The message digest MD and a message-digest algorithm identifier shall be combined into an ASN.1 value of type DigestInfo, described below, which shall be BER-encoded to give an octet string D, the data.
消息摘要MD和消息摘要算法标识符应组合为下文所述的类型为DigestInfo的ASN.1值,该值应进行BER编码,以给出八位组字符串D,即数据。
DigestInfo ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
digest Digest }
DigestInfo ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
digest Digest }
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
Digest ::= OCTET STRING
Digest ::= OCTET STRING
The fields of type DigestInfo have the following meanings:
DigestInfo类型的字段具有以下含义:
o digestAlgorithm identifies the message-digest algorithm (and any associated parameters). For this application, it should identify the selected message-digest algorithm, MD2, MD4 or MD5. For reference, the relevant object identifiers are the following:
o digestAlgorithm标识消息摘要算法(以及任何相关参数)。对于此应用程序,它应该标识所选的消息摘要算法MD2、MD4或MD5。相关对象标识符如下所示,以供参考:
md2 OBJECT IDENTIFIER ::=
md2 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 2 } md4 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 4 } md5 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 5 }
{ iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 2 } md4 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 4 } md5 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 5 }
For these object identifiers, the parameters field of the digestAlgorithm value should be NULL.
对于这些对象标识符,digestAlgorithm值的参数字段应为NULL。
o digest is the result of the message-digesting process, i.e., the message digest MD.
o 摘要是消息摘要处理的结果,即消息摘要MD。
Notes.
笔记。
1. A message-digest algorithm identifier is included in the DigestInfo value to limit the damage resulting from the compromise of one message-digest algorithm. For instance, suppose an adversary were able to find messages with a given MD2 message digest. That adversary might try to forge a signature on a message by finding an innocuous-looking message with the same MD2 message digest, and coercing a signer to sign the innocuous-looking message. This attack would succeed only if the signer used MD2. If the DigestInfo value contained only the message digest, however, an adversary could attack signers that use any message digest.
1. DigestInfo值中包含一个消息摘要算法标识符,以限制因一个消息摘要算法受损而造成的损害。例如,假设对手能够找到具有给定MD2消息摘要的消息。该对手可能试图通过查找具有相同MD2消息摘要的外观无害的消息,并强制签名者对外观无害的消息进行签名,从而在消息上伪造签名。只有签名者使用MD2,此攻击才会成功。但是,如果DigestInfo值仅包含消息摘要,则对手可以攻击使用任何消息摘要的签名者。
2. Although it may be claimed that the use of a SEQUENCE type violates the literal statement in the X.509 SIGNED and SIGNATURE macros that a signature is an ENCRYPTED OCTET STRING (as opposed to ENCRYPTED SEQUENCE), such a literal interpretation need not be required, as I'Anson and Mitchell point out [IM90].
2. 尽管可以声称使用序列类型违反了X.509签名和签名宏中的文字声明,即签名是加密的八位字节字符串(与加密序列相反),但正如I'Anson和Mitchell指出的[IM90],不需要这样的文字解释。
3. No reason is known that MD4 would not be for very high security digital signature schemes, but because MD4 was designed to be exceptionally fast, it is "at the edge" in terms of risking successful cryptanalytic attack. A message-digest algorithm can be considered "broken" if someone can find a collision: two messages with the same digest. While collisions have been found in variants of MD4 with only two digesting "rounds"
3. 没有理由知道MD4不适用于非常高安全性的数字签名方案,但由于MD4的设计速度非常快,它在成功密码分析攻击的风险方面处于“边缘”。如果有人能找到冲突:两条具有相同摘要的消息,则可以认为消息摘要算法“已损坏”。虽然在MD4的变体中发现了碰撞,但只有两个消化“轮”
[Mer90][dBB92], none have been found in MD4 itself, which has three rounds. After further critical review, it may be appropriate to consider MD4 for very high security applications.
[Mer90][dBB92],在MD4本身中没有发现,它有三个回合。在进一步的评论回顾之后,考虑到非常高的安全性应用的M4可能是适当的。
MD5, which has four rounds and is proportionally slower than MD4, is recommended until the completion of MD4's review. The reported "pseudocollisions" in MD5's internal compression function [dBB93] do not appear to have any practical impact on MD5's security.
MD5有四轮,在完成MD4的审查之前,建议使用MD5,其速度按比例比MD4慢。MD5内部压缩函数[dBB93]中报告的“伪冲突”似乎对MD5的安全性没有任何实际影响。
MD2, the slowest of the three, has the most conservative design. No attacks on MD2 have been published.
MD2是三款中速度最慢的,其设计最为保守。尚未发布对MD2的攻击。
The data D shall be encrypted with the signer's RSA private key as described in Section 7 to give an octet string ED, the encrypted data. The block type shall be 01. (See Section 8.1.)
数据D应使用第7节所述签名人的RSA私钥进行加密,以给出加密数据的八位字节字符串ED。块类型应为01。(见第8.1节。)
The encrypted data ED shall be converted into a bit string S, the signature. Specifically, the most significant bit of the first octet of the encrypted data shall become the first bit of the signature, and so on through the least significant bit of the last octet of the encrypted data, which shall become the last bit of the signature.
加密数据ED应转换为位字符串S,即签名。具体而言,加密数据的第一个八位字节的最高有效位应成为签名的第一位,依此类推,通过加密数据的最后一个八位字节的最低有效位,其应成为签名的最后一位。
Note. The length in bits of the signature S is a multiple of eight.
笔记签名S的长度(以位为单位)是8的倍数。
The verification process for both signature algorithms consists of four steps: bit-string-to-octet-string conversion, RSA decryption, data decoding, and message digesting and comparison. The input to the verification process shall be an octet string M, the message; a signer's public key; and a bit string S, the signature. The output from the verification process shall be an indication of success or failure.
这两种签名算法的验证过程包括四个步骤:位字符串到八位字符串的转换、RSA解密、数据解码以及消息摘要和比较。验证过程的输入应为八位字节字符串M,即消息;签名者的公钥;还有一个位字符串S,签名。验证过程的输出应表示成功或失败。
The signature S shall be converted into an octet string ED, the encrypted data. Specifically, assuming that the length in bits of the signature S is a multiple of eight, the first bit of the signature shall become the most significant bit of the first octet of the
签名S应转换为八位字节字符串ED,即加密数据。具体地说,假设签名S的位长度是8的倍数,则签名的第一位应成为签名的第一个八位组的最高有效位
encrypted data, and so on through the last bit of the signature, which shall become the least significant bit of the last octet of the encrypted data.
加密数据,等等,通过签名的最后一位,它将成为加密数据最后八位字节的最低有效位。
It is an error if the length in bits of the signature S is not a multiple of eight.
如果签名S的位长度不是8的倍数,则为错误。
The encrypted data ED shall be decrypted with the signer's RSA public key as described in Section 8 to give an octet string D, the data.
加密数据ED应使用第8节中所述的签名者RSA公钥解密,以给出八位组字符串D,即数据。
It is an error if the block type recovered in the decryption process is not 01. (See Section 9.4.)
如果解密过程中恢复的块类型不是01,则为错误。(见第9.4节。)
The data D shall be BER-decoded to give an ASN.1 value of type DigestInfo, which shall be separated into a message digest MD and a message-digest algorithm identifier. The message-digest algorithm identifier shall determine the "selected" message-digest algorithm for the next step.
数据D应进行BER解码,以给出DigestInfo类型的ASN.1值,该值应分为消息摘要MD和消息摘要算法标识符。消息摘要算法标识符应确定下一步的“选定”消息摘要算法。
It is an error if the message-digest algorithm identifier does not identify the MD2, MD4 or MD5 message-digest algorithm.
如果消息摘要算法标识符未标识MD2、MD4或MD5消息摘要算法,则为错误。
The message M shall be digested with the selected message-digest algorithm to give an octet string MD', the comparative message digest. The verification process shall succeed if the comparative message digest MD' is the same as the message digest MD, and the verification process shall fail otherwise.
应使用选定的消息摘要算法对消息M进行摘要,以给出八位字节字符串MD',即比较消息摘要。如果比较消息摘要MD'与消息摘要MD'相同,则验证过程应成功,否则验证过程应失败。
This document defines five object identifiers: pkcs-1, rsaEncryption, md2WithRSAEncryption, md4WithRSAEncryption, and md5WithRSAEncryption.
本文档定义了五个对象标识符:pkcs-1、RSA加密、MD2WithRSA加密、MD4WithRSA加密和MD5WithRSA加密。
The object identifier pkcs-1 identifies this document.
对象标识符pkcs-1标识此文档。
pkcs-1 OBJECT IDENTIFIER ::=
pkcs-1 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) US(840) rsadsi(113549)
pkcs(1) 1 }
{ iso(1) member-body(2) US(840) rsadsi(113549)
pkcs(1) 1 }
The object identifier rsaEncryption identifies RSA public and private keys as defined in Section 7 and the RSA encryption and decryption processes defined in Sections 8 and 9.
对象标识符RSA encryption标识第7节中定义的RSA公钥和私钥,以及第8节和第9节中定义的RSA加密和解密过程。
rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
The rsaEncryption object identifier is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field of that type, which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.1 type NULL for this algorithm.
RSA加密对象标识符用于AlgorithmIdentifier类型值的算法字段。该类型的参数字段具有任何算法定义的特定于算法的语法,该算法的ASN.1类型为NULL。
The object identifiers md2WithRSAEncryption, md4WithRSAEncryption, md5WithRSAEncryption, identify, respectively, the "MD2 with RSA," "MD4 with RSA," and "MD5 with RSA" signature and verification processes defined in Section 10.
对象标识符MD2 with RSA encryption、MD4 with RSA encryption、MD5 with RSA encryption分别标识第10节中定义的“MD2 with RSA”、“MD4 with RSA”和“MD5 with RSA”签名和验证过程。
md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
md4WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 3 }
md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
md4WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 3 }
md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
These object identifiers are intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field of that type, which has the algorithm-specific syntax ANY DEFINED BY algorithm, would have ASN.1 type NULL for these algorithms.
这些对象标识符旨在用于AlgorithmIdentifier类型值的算法字段中。该类型的参数字段具有算法定义的特定于算法的语法,这些算法的ASN.1类型为NULL。
Note. X.509's object identifier rsa also identifies RSA public keys as defined in Section 7, but does not identify private keys, and identifies different encryption and decryption processes. It is expected that some applications will identify public keys by rsa. Such public keys are compatible with this document; an rsaEncryption process under an rsa public key is the same as the rsaEncryption process under an rsaEncryption public key.
笔记X.509的对象标识符rsa还标识第7节中定义的rsa公钥,但不标识私钥,并标识不同的加密和解密过程。预计一些应用程序将通过rsa识别公钥。此类公钥与本文件兼容;rsa公钥下的rsa加密过程与rsa加密公钥下的rsa加密过程相同。
Security Considerations
安全考虑
Security issues are discussed throughout this memo.
本备忘录中讨论了安全问题。
Revision history
修订历史
Versions 1.0-1.3
版本1.0-1.3
Versions 1.0-1.3 were distributed to participants in RSA Data Security, Inc.'s Public-Key Cryptography Standards meetings in February and March 1991.
版本1.0-1.3于1991年2月和3月分发给RSA Data Security,Inc.公钥加密标准会议的与会者。
Version 1.4
版本1.4
Version 1.4 is part of the June 3, 1991 initial public release of PKCS. Version 1.4 was published as NIST/OSI Implementors' Workshop document SEC-SIG-91-18.
版本1.4是1991年6月3日PKCS首次公开发布的一部分。版本1.4发布为NIST/OSI实施者研讨会文件SEC-SIG-91-18。
Version 1.5
版本1.5
Version 1.5 incorporates several editorial changes, including updates to the references and the addition of a revision history. The following substantive changes were made:
版本1.5包含了一些编辑性更改,包括对参考文件的更新和添加修订历史记录。作出了以下实质性修改:
o Section 10: "MD4 with RSA" signature and verification processes are added.
o 第10节:增加了“MD4 with RSA”签名和验证过程。
o Section 11: md4WithRSAEncryption object identifier is added.
o 第11节:添加了MD4WithRSA加密对象标识符。
Supersedes June 3, 1991 version, which was also published as NIST/OSI Implementors' Workshop document SEC-SIG-91-18.
取代1991年6月3日版本,该版本也作为NIST/OSI实施者研讨会文件SEC-SIG-91-18发布。
Acknowledgements
致谢
This document is based on a contribution of RSA Laboratories, a division of RSA Data Security, Inc. Any substantial use of the text from this document must acknowledge RSA Data Security, Inc. RSA Data Security, Inc. requests that all material mentioning or referencing this document identify this as "RSA Data Security, Inc. PKCS #1".
本文档基于RSA Data Security,Inc.旗下RSA Laboratories的贡献。任何对本文档中文本的实质性使用都必须承认RSA Data Security,Inc.RSA Data Security,Inc.要求提及或引用本文档的所有材料将其标识为“RSA Data Security,Inc.PKCS#1”。
Author's Address
作者地址
Burt Kaliski RSA Laboratories East 20 Crosby Drive Bedford, MA 01730
Burt Kaliski RSA Laboratories East 20 Crosby Drive Bedford,马萨诸塞州01730
Phone: (617) 687-7000 EMail: burt@rsa.com
电话:(617)687-7000电子邮件:burt@rsa.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (1998). All Rights Reserved.
版权所有(C)互联网协会(1998年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。