I nominate this Q/A for a technote or FAQ entry
Wan-Teh Chang wrote:
Petar Popara wrote:
I have succeeded to implement RSA encryption with PKCS1 padding. :)
But, I have one question. On RSA web site (pkcs-1v2-1.pdf), PKCS1 padding is described like this:
EM = 0x00 || 0x02 || PS || 0x00 || M
This is specified in PKCS #1 v1.5, Section 8.1 Encryption-block formatting.
This is what NSS's rsa_FormatOneBlock function implements. See
http://lxr.mozilla.org/security/source/security/nss/lib/softoken/rsawrapr.c#203
and ont W3C web site: http://www.w3.org/TR/xmlenc-core/#rsa-1_5
PKCS1 padding is described like this:
02 | PS* | 00 | key
Well, 0x00 at the beginning is missing. Why?
I also found this in PKCS #1 v2.0, Section 9.1.2.1 Encoding operation, Step 3.
I believe this difference does not matter because the formatted block is treated as a big-endian big integer by the RSA algorithm, so the leading 00 octet is simply eight most significant 0 bits. For example, 0x00123456 is equal to 0x123456.
I suspect that this change made in PKCS #1 v2.0 confused many people, so it was reversed in v2.1.
Wan-Teh
_______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
