CryptoSys PKI Pro Manual

RSA signature and encryption schemes: RSA-PSS and RSA-OAEP

There are two RSA signature schemes specified in [PKCS1]: RSASSA-PKCS1-v1_5 and RSASSA-PSS (RSASSA = RSA Signature Scheme with Appendix). RSASSA-PSS is a probabilistic signature scheme (PSS) with appendix. A signature scheme with appendix requires the message itself to verify the signature (i.e. the message is not recoverable from the signature).

There are also two RSA encryption schemes: RSAES-PKCS-v1_5 and RSAES-OAEP (Optimal Asymmetric Encryption Padding). Both use random seeds (and so produce a different ciphertext value each time), but RSA-OAEP is more robust and is the recommended alternative.

The PKCS-V1_5 schemes are "self contained": the signature values and ciphertext values contain all the information needed to verify or decipher. In contrast, both the RSA-PSS and RSA-OAEP schemes require parameters which need to be provided separately. Both require a hash function to be specified and both use a mask generation function (MGF). There is currently only one MGF specified, called MGF1. This in turn uses a hash function (the "MGF hash function") which may be different from the scheme hash function. More details below.

Incidentally, the terms "function" and "algorithm" are used interchangeably here. The term "algorithm" was used in the early PKCS#1 specifications (and is reflected in the ASN.1 type names), and "function" is used in the more recent ones.

Differences between signature schemes RSASSA-PKCS-v1_5 and RSASSA-PSS

The signature schemes RSASSA-PKCS-v1_5 ("PKCSV1_5") and RSASSA-PSS ("PSS") have differences.

RSASSA-PSS parameters

The default parameters for RSASSA-PSS are:

hashAlgorithm       sha1,
maskGenAlgorithm    mgf1SHA1 (the function MGF1 with SHA-1)
saltLength          20,
trailerField        trailerFieldBC (the byte 0xbc)

It is recommended that the MGF hash function be the same as the scheme hash algorithm/function, and that the salt length be hLen, the length of the output of the hash function.

Differences between encryption schemes RSAES-PKCS-v1_5 vs RSAES-OAEP

RSAES-OAEP parameters

The default parameters for RSASSA-OAEP are:

hashAlgorithm       sha1,
maskGenAlgorithm    mgf1SHA1 (the function MGF1 with SHA-1)
pSourceAlgorithm    pSpecifiedEmpty (label L is an empty string)

It is recommended that the MGF hash function be the same as the scheme hash algorithm/function.

[PREV: Raw RSA Techniques...]   [Contents]   [Index]   
   [NEXT: Parameters for RSA-PSS and RSA-OAEP available in this Toolkit...]

Copyright © 2004-24 D.I. Management Services Pty Ltd. All rights reserved. Generated 2024-09-23T07:52:09Z.