Thursday, March 7, 2013


The XML Digital Signature specs detail the use of RSA-OAEP padding. The best explanation is available at Wikipedia with the following diagram on the right. Sections 9.1.1 of the PKCS 2.0 standard also explain how this padding algorithm works.
5.4.2 RSA-OAEP

Identifier: (REQUIRED)
The RSAES-OAEP-ENCRYPT algorithm, as specified in RFC 2437 [PKCS1], takes three parameters. The two user specified parameters are a MANDATORY message digest function and an OPTIONAL encoding octet string OAEPparams. The message digest function is indicated by the Algorithm attribute of a child ds:DigestMethod element and the mask generation function, the third parameter, is always MGF1 with SHA1 (mgf1SHA1Identifier). Both the message digest and mask generation functions are used in the EME-OAEP-ENCODE operation as part of RSAES-OAEP-ENCRYPT. The encoding octet string is the base64 decoding of the content of an optional OAEPparams child element . If no OAEPparams child is provided, a null string is used.

Schema Definition:
     An example of an RSA-OAEP element is:

If you want to use OpenSSL to decode RSA-OAEP padded data, however, the OAEPparams option cannot be used. Normally, when a message is initially prepared, it is hashed with an input parameter, which is step 3 in Section 9.1.1 RFC 2437 under "Generate an octet string PS consisting of emLen-||M||-2hLen-1 zero octets. The length of PS may be 0.".

But according to, EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding parameter. (EME standards for encoding methods for encryption). Therefore, the octect string PS must be empty.

No comments:

Post a Comment