PKCS #1 formats

The PKCS #1 standard ^¹ defines methods for formatting keys and hashes prior to RSA encryption of the resulting data structures. PKCS #1 Version 1.5 defined block types 0, 1, and 2, but in the current standard that terminology is dropped.

ICSF implemented these processes using the terminology of the Version 2.0 (RFC 2437), Version 2.1 (RFC 3447), and Version 2.2 (RFC 8017) PKCS #1 standard:

For formatting keys for secured transport (CSNDSYX, CSNDSYG, CSNDSYI):
- RSAES-OAEP, the preferred method for key-encipherment^² when exchanging DATA keys between systems. Keywords PKCSOAEP (Version 2.0) and PKOAEP2 (Version 2.1) are used to invoke this formatting technique. The P parameter described in the standard is not used and its length is set to zero.
- RSAES-PKCS1-v1_5, is an older method for formatting keys. Keyword PKCS-1.2 is used to invoke this formatting technique.
For formatting hashes for digital signatures (CSNDDSG and CSNDDSV):
- RSASSA-PKCS1-v1_5, the newer name for the block-type 1 format. Keyword PKCS-1.1 is used to invoke this formatting technique.
- The PKCS #1 specification no longer discusses use of block-type 0. Keyword PKCS-1.0 is used to invoke this formatting technique. Use of block-type 0 is discouraged.
Version 2.2 of the standard defined a parameter field for RSASSA-PSS (RSA Signature Scheme with Appendix – Probabilistic Signature Scheme) that has the following four parameters:
- hashAlgorithm - This parameter identifies the hash function. ICSF requires this to be SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512.
- maskGenAlgorithm – This parameter identifies the mask generation function. MGF1 is a mask generation function based on a hash function and is the only function currently defined by the standard. The hash function of which MGF1 is based is always the same as hashAlgorithm.
- saltLength – This is the length of the salt, which is a randomly generated value. In no case can the derived salt length be less than the salt length specified by the input data.
- trailerField – This is the trailer field number. ICSF always sets this to the value X'BC'. Other trailer field numbers are not supported by the standard.

Keyword PKCS-PSS is used to invoke the RSASSA-PSS formatting technique.

Using the terminology from older versions of the PKCS #1 standard, block types 0 and 1 are used to format a hash and block type 2 is used to format a DES key. The blocks consist of (|| means concatenation): X'00' || BT || PS || X'00' D where:

BT is the block type, X'00', X'01', X'02'.
PS is the padding of as many bytes as required to make the block the same length as the modulus of the RSA key, and is bytes of X'00' for block type 0, X'01' for block type 1, and random and non-X'00' for block type 2. The length of PS must be at least 8 bytes.
D is the key, or the concatenation of the BER-encoded hash identifier and the hash.

You can create the ASN.1 BER encoding of an MD5, SHA-1, SHA2, or SHA3 value by prepending a string to the hash value, as shown:

MD5 X’3020300C 06082A86 4886F70D 02050500 0410’ || 16-byte hash value
SHA-1 X'30213009 06052B0E 03021A05 000414’ || 20-byte hash value
SHA2-224 X’302D300D 06096086 48016503 04020405 00041C’ || 28-byte hash value
SHA2-256 X’3031300D 06096086 48016503 04020105 000420’ || 32-byte hash value
SHA2-384 X’3041300D 06096086 48016503 04020205 000430’ || 48-byte hash value
SHA2-512 X’3051300D 06096086 48016503 04020305 000440’ || 64-byte hash value
SHA3-224 X’302D300D 06096086 48016503 04020705 00041C’ || 28-byte hash value
SHA3-256 X’3031300D 06096086 48016503 04020805 000420’ || 32-byte hash value
SHA3-384 X’3041300D 06096086 48016503 04020905 000430’ || 48-byte hash value
SHA3-512 X’3051300D 06096086 48016503 04020A05 000440’ || 64-byte hash value

¹ PKCS standards can be retrieved from OASIS Open.

² The PKA 92 method and the method incorporated into the SET standard are other examples of the Optimal Asymmetric Encryption Padding (OAEP) technique. The OAEP technique is attributed to Bellare and Rogaway.