CryptoSys PKI Toolkit Manual

RSA-KEM

RSA-KEM is a key transport algorithm for transporting keying data to a recipient using the recipient's RSA public key. It is also known as "Simple RSA". It is meant to be stronger than the PKCS#1 v1.5 rsaEncryption algorithm and is an alternative to the hardly-implemented-by-anybody RSAES-OAEP from PKCS#1 v2.

RSA-KEM is described in ISO 18033-2 [ISO18033-2] and in an Internet draft document [CMSRSAKEM]. It involves using RSA to encrypt a randomly generated number and uses both key wrapping with a symmetric block cipher and a message-digest-based key derivation function (KDF). There are three parameters required to define it (block cipher, KDF, message digest).

The default parameters in this Toolkit are AES128-Wrap and KDF2 with SHA-1. Note that, in this case, Triple DES is not the default block cipher, although it is available as an option.

When using the CMS_QueryEnvData function to find the keyEncryptionAlgorithm, it will be described as "ac-generic-hybrid", not RSA-KEM, which is strictly the "KeyEncapsulationMechanism" or KEM. The KEM is a parameter of the overarching key encryption algorithm, together with the "DataEncapsulationMechanism", DEM, the symmetric key wrap algorithm. To add to the fun, the official name for the OID is the other way around, as in "kem-rsa".

In an ASN.1-style format, the KeyEncryptionAlgorithm element for PKCS#1 rsaEncryption

SEQUENCE {
  rsaEncryption,
  NULL
}

is replaced by a typical element like this for RSA-KEM

SEQUENCE {
  id-ac-generic-hybrid,                         -- generic cipher
  SEQUENCE {                           -- GenericHybridParameters
    SEQUENCE {                     -- key encapsulation mechanism
      id-kem-rsa,                                      -- RSA-KEM
      SEQUENCE {                              -- RsaKemParameters
        SEQUENCE {                     -- key derivation function
          id-kdf-kdf2,                                    -- KDF2
          SEQUENCE {                         -- KDF2-HashFunction
            id-sha256       -- SHA-256; no parameters (preferred)
          }
        },
        16                                 -- KEK length in bytes
      }
    }   
    SEQUENCE {                    -- data encapsulation mechanism
      id-aes128-Wrap               -- AES-128 Wrap; no parameters
    }
  }
}

This is a provisional version of the algorithm in this release. We reserve the right to change the related function and method parameters and options in a future release, and to fix any errors once (if!) proper test vectors are available.

[Contents] [Index]

[HOME]   [NEXT: Technical Details...]
Copyright © 2004-9 D.I. Management Services Pty Ltd. All rights reserved.