RSA
How the core algorithm works
RSAES-OAEP-ENCRYPT( in n, in e, in M, out C);
---------------------------------------------
n == the RSA modulus
e == the RSA exponent
M == the plaintext message
C == the ciphertext message
Let ".len" mean the length of a blog or integer in octets.
k := n.len
hLen := length of hash output in octets
mLen := M.len
lHash := Hash(empty)
lHash.len = hLen
We require..
0 <= mLen <= k - 2hLen - 2 and
n.len >= 3 + 2hLen
Eg. if hLen = 20 (SHA-1), then n.len >= 43 bytes or 344 bits.
Use box diagrams like so ...
| name |
|------|
| 13 |
where "name" in the above is a place-maker for an identifier for the blob,
and "13" in the above is a place-marker for the size of the blob in octets.
So algorithm is pictured like this ....
Check M.len <= (k = 2*hLen - 2).
|lHash | 0 | 1 | M |
DB = |------------------------------------------|
|hLen | k - mLen - 2hLen - 2 | 1 | mLen |
|
XOR
|
seed = | random | | dbMask |
|----------| -->MGF()--> |------------------------------------------|
| hLen | | k - hLen - 1 |
| |
XOR |
| V
| seedMask | | maskedDB |
|----------| <--MFG()<-- |------------------------------------------|
| hLen | | k - hLen - 1 |
| |
V V
| 0 |maskedSeed| | maskedDB |
|----|----------| |------------------------------------------|
| 1 | hLen | | k - hLen - 1 |
\ /
V V
| EM |
|--------------------------------------------------------|
| k |
|
V
OS2IP()
|
V
m: integer (m.len = k, but MSB of m is zero if OS2IP is big-endien)
|
V
c := m ** e mod n
|
V
c: integer (c.len = k and c < n)
|
V
I2OSP()
|
V
| C |
|--------------------------------------------------------|
| k |
RSAES-OAEP-DECRYPT( in n, in d, in C, out M);
---------------------------------------------
d == the RSA private key ("K" is used in the standard).
Check C.len = n.len
| C |
|--------------------------------------------------------|
| k |
|
V
OS2IP()
|
V
c: integer (c.len = k)
|
V
m := c ** d mod n
|
V
m: integer (m.len = k and m < n)
|
V
I2OSP()
|
V
| EM |
|--------------------------------------------------------|
| k |
/ \
V V
| 0 |maskedSeed| | maskedDB |
|----|----------| |------------------------------------------|
| 1 | hLen | | k - hLen - 1 |
| |
XOR |
| V
| seedMask | | maskedDB |
|----------| <--MFG()<-- |------------------------------------------|
| hLen | | k - hLen - 1 |
| |
| XOR
V |
| seed | | dbMask |
|----------| -->MGF()--> |------------------------------------------|
| hLen | | k - hLen - 1 |
|
V
|lHash | 0 | 1 | M |
DB = |------------------------------------------|
|hLen | k - mLen - 2hLen - 2 | 1 | mLen |
/
/
/
/
/
M <-----------------------------------------------------
M: blob, M.len = mLen