RSA signature and encryption schemes: RSA-PSS and RSA-OAEP
There are two RSA signature schemes specified in [PKCS1]: RSASSA-PKCS1-v1_5 and RSASSA-PSS (RSASSA = RSA Signature Scheme with Appendix).
RSASSA-PSS is a probabilistic signature scheme (PSS) with appendix.
A signature scheme with appendix requires the message itself to verify the signature (i.e. the message is not recoverable from the signature).
There are also two RSA encryption schemes: RSAES-PKCS-v1_5 and RSAES-OAEP (Optimal Asymmetric Encryption Padding). Both use random seeds (and so produce a different ciphertext value each time),
but RSA-OAEP is more robust and is the recommended alternative.
The PKCS-V1_5 schemes are "self contained": the signature values and ciphertext values contain all the information needed to verify or decipher.
In contrast, both the RSA-PSS and RSA-OAEP schemes require parameters which need to be provided separately.
Both require a hash function to be specified and both use a mask generation function (MGF).
There is currently only one MGF specified, called MGF1
.
This in turn uses a hash function (the "MGF hash function") which may be different from the scheme hash function.
More details below.
Incidentally, the terms "function" and "algorithm" are used interchangeably here. The term "algorithm" was used in the early PKCS#1 specifications
(and is reflected in the ASN.1 type names), and "function" is used in the more recent ones.
Differences between signature schemes RSASSA-PKCS-v1_5 and RSASSA-PSS
The signature schemes RSASSA-PKCS-v1_5 ("PKCSV1_5") and RSASSA-PSS ("PSS") have differences.
- PKCSV1_5 is deterministic. The same message and key will produce an identical signature value each time.
PSS is randomized and will produce a different signature value each time (unless you use a zero-length salt).
- A PKCSV1_5 signature is complete in itself. Once decrypted using the private key, you can detect the hash function used to create it
and extract the message digest value.
A PSS signature has separate parameters (see below) which need to be known prior to verifying a signature.
These are included in X.509 certificates and CMS signed-data objects,
but need to be communicated separately for an isolated signature value.
- You can extract the message digest value from a PKCSV1_5 signature. You cannot extract it from a PSS signature; you can only verify against a known digest value.
- PSS has a security proof and is more robust in theory than PKCSV1_5. Nevertheless PKCSV1_5 has no known security weaknesses at this time.
- PSS had patent issues until recently (the last one expired in 2010) and is less widely adopted. PKCSV1_5 has been widely used since the 1990s.
RSASSA-PSS parameters
- hash algorithm/function. The default is SHA-1 [].
- mask generation function (MGF). Currently always MGF1.
- salt length. The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes.
A salt length of zero is permitted and will result in a deterministic signature value. The actual salt length used can be determined from the signature value.
- trailer field, used in the encoding operation. The default trailer field is the byte 0xbc. This is the only option available in this Toolkit.
The default parameters for RSASSA-PSS are:
hashAlgorithm sha1,
maskGenAlgorithm mgf1SHA1 (the function MGF1 with SHA-1)
saltLength 20,
trailerField trailerFieldBC (the byte 0xbc)
It is recommended that the MGF hash function be the same as the scheme hash algorithm/function, and that the salt length be hLen
, the length of the output of the hash function.
Differences between encryption schemes RSAES-PKCS-v1_5 vs RSAES-OAEP
- RSAES-OAEP has a security proof and is the recommended scheme in new implementations.
The older RSAES-PKCS-v1_5 scheme has some known vulnerabilities (easily avoided), and is still widely used.
- Both use random seeds and so produce a different ciphertext each time for a given plaintext and key.
- A PKCSV1_5 ciphertext is complete in itself. Once decrypted using the private key, you can extract the plaintext directly.
- An RSA-OAEP ciphertext requires separate parameters to decrypt it as well as the key.
These are included in a CMS enveloped-data object but need to be provided separately for an isolated ciphertext value.
RSAES-OAEP parameters
- hash algorithm/function. The default is SHA-1 [].
- mask generation function (MGF). Currently always MGF1.
- pSourceAlgorithm. The source or value of the label L used in the OEAP encoding operation. The default is the empty string
""
.
This is the only option available in this Toolkit.
The default parameters for RSASSA-OAEP are:
hashAlgorithm sha1,
maskGenAlgorithm mgf1SHA1 (the function MGF1 with SHA-1)
pSourceAlgorithm pSpecifiedEmpty (label L is an empty string)
It is recommended that the MGF hash function be the same as the scheme hash algorithm/function.