PKCS #1 hash formats

Edit online

Version 2.0 and 2.1 of the PKCS #1 standard defines methods for formatting keys and hashes prior to RSA encryption of the resulting data structures.

The earlier versions of the PKCS #1 standard defined block types 0, 1, and 2, but in the current standard that terminology is dropped.

CCA implemented these processes using the terminology of the Version 2.0 standard:
  • For formatting keys for secured transport (Symmetric Key Export, Digital Signature Generate, Symmetric Key Import):
    • RSAES-OAEP, the preferred method for key-encipherment when exchanging DATA keys between systems. Keyword PKCSOAEP (Version 2.0) and PKOAEP2 (Version 2.1) is used to invoke this formatting technique. The P parameter described in the standard is not used and its length is set to zero.
    • RSAES-PKCS1-v1_5, is an older method for formatting keys. It is included for compatibility with existing applications. Keyword PKCS-1.2 is used to invoke this formatting technique.
  • For formatting hashes for digital signatures (Digital Signature Generate and Digital Signature Verify):
    • RSASSA-PKCS1-v1_5, the newer name for the block-type 1 format. Keyword PKCS-1.1 is used to invoke this formatting technique.
    • The PKCS #1 specification no longer describes the use of block-type 0. Keyword PKCS-1.0 is used to invoke this formatting technique. Use of block-type 0 is discouraged.

Using the terminology from older versions of the PKCS #1 standard, block types 0 and 1 are used to format a hash and block type 2 is used to format a DES key. The blocks consist of the following (|| means concatenation):

  • X'00' || BT || PS || X'00' || D

    where:

    BT
    Is the block type, X'00', X'01', or X'02'.
    PS
    Is the padding of as many bytes as required to make the block the same length as the modulus of the RSA key. Padding of X'00' is used for block type 0, X'FF' for block type 1, and random and non-X'00' for block type 2. The length of PS must be a minimum of eight bytes.
    D
    Is the key, or the concatenation of the BER-encoded hash identifier and the hash value.

You can create the ASN.1 BER encoding of an MD5, SHA-1, or SHA-256 value by attaching these strings at the beginning of the 16-byte or 20-byte hash values, respectively:

MD5
X'3020300C 06082A86 4886F70D 02050500 0410'
SHA-1
X'30213009 06052B0E 03021A05 000414'
SHA-256
X'3031300D 06096086 48016503 04020105 000420'
1 PKCS standards can be retrieved from http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/public-key-cryptography-standards.htm.
2 The PKA 92 method and the method incorporated into the SET standard are other examples of the Optimal Asymmetric Encryption Padding (OAEP) technique. The OAEP technique is attributed to Bellare and Rogaway.