The RSA cryptosystem provides the following functions:
· Generation of variable-length RSA keys.
· Validation of public key certificates.
· Generation and validation of digital signatures.
· Secure DES key management using RSA public master keys.
· Generation of hash values.
These functions are implemented by the host commands detailed in the following subsections:
· Generate an RSA Key Set (EI)
· Load a Secret Key (EK)
· Translate a Secret Key from the Old LMK to a New LMK (EM)
· Generate a MAC on a Public Key (EO)
· Verify a MAC on a Public Key (EQ)
· Validate a Certificate and Generate a MAC on its Public Key (ES)
· Translate a MAC on a Public Key (EU)
· Generate a Signature (EW)
· Validate a Signature (EY)
· Import a DES Key (GI)
· Export a DES Key (GK)
· Hash a Block of Data (GM)
Within these functions certain common parameters are defined as follows:
DES Key Type
The DES Key Type field is 4 digits. The first two digits indicate the LMK pair used to encrypt the key, the last two digits indicate the LMK variant. For example:
· If the DES Key Type is 0600, LMK pair 06-07 is used (no variant).
· If the DES Key Type is 3007, variant 7 of LMK pair 30-31 is used.
Signature Algorithm
01 = RSA
Encryption Identifier
01 = RSA
Hash Identifier
01 = SHA-1, produces a 20 byte result.
02 = MD5, produces a 16 byte result.
03 = ISO 10118-2, produces a 16 byte result.
04 = No hash.
01 = SHA-1 hashing algorithm
The ASN.1 DER object identifier for this hashing function is:
{iso(1) identified-organisation(3) oiw(14) secsig(3) 2 26}
which encodes as:
2B 0E 03 02 1A
02 = MD5 hashing algorithm
The ASN.1 DER object identifier for this hashing function is:
{iso(1) member-body(2) US(840) rsadsi(113549) digest Algorithm(2) 5 }
which encodes as:
2A 86 48 86 F7 0D 02 05
03 = ISO 10118-2 hashing algorithm
The ASN.1 DER object identifier for this hashing function is:
{2 10 67 4}
which encodes as:
5A 43 04
04 = No hash
The no-hash option can be used when the HSM provides signature generation or validation, or certificate validation, on data that is hashed outside the HSM.
If the no-hash option is chosen, the data that is provided in the Validate a Certificate, Generate a Signature and Validate a Signature commands is not modified in any way by the HSM, so it must be precisely the data in the plain signature block (which depends on the pad mode selected by the Pad Mode Identifier). It is the responsibility of the Host application to ensure that the precise data to be included in the signature block is supplied in the command.
Example:
If the SHA-1 algorithm is used to hash the data and the resultant hash value is:
0123456789ABCDEF0123456789ABCDEF01234567
and if the PKCS#1 pad mode is used, the data to be provided must be the complete ASN.1 DER encoded DigestInfo, which is:
30 21 300906052B0E03021A0500 04140123456789ABCDEF0123456789ABCDEF01234567.
Note that when using the no-hash mode, the HSM checks that the DER encoded DigestInfo syntax is correct. If there is a digest info syntax error, the HSM returns error code 74.
Pad Mode Identifier
01 = PKCS#1 v1.5
02 = OAEP
The PKCS#1 standard (see References 2 and 3 at the beginning of this manual) defines the padding method to be used before operating with a public or secret RSA key.
01 = PKCS#1 v1.5
This simple padding scheme was introduced in the original PKCS#1 specification. The data to be encrypted or decrypted is padded as follows:
00 BT PS 00 D, where:
· BT is a single byte indicating the block type. BT is 01 for a secret key operation; 02 for a public key operation.
· PS is a padding string consisting of bytes FF....FF for block type 01, random non-zero bytes for block type 02. PS must contain at least 8 bytes.
· D is the data block.
· The total length of the padded block is equal to the length (in bytes) of the RSA key modulus
The data block D is the ASN.1 encoded message digest, or DES key (depending on the command used), as follows:
DigestInfo :: SEQUENCE {
digestAlgorithm DigestAlgorithmldentifier,
digest OCTET STRING
}
DigestAlgorithmldentifier :: SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters NULL
}
KeyBlock :: SEQUENCE {
deskey OCTET STRING,
iv OCTET STRING SIZE (8)
}
Example 1:
Assume that the SHA-1 algorithm is used to produce the 20-byte digest:
0123456789ABCDEF0123456789ABCDEF01234567.
The DigestAlgorithmldentifier for SHA-1 is:
30 09 06 05 2B0E03021A 05 00.
Thus, the ASN. 1 DER encoded DigestInfo is:
30 21 300906052B0E03021A0500 04140123456789ABCDEF0123456789ABCDEF01234567
Example 2:
If a single-length DES key 0123456789ABCDEF and IV = 9999999999999999 are used, the ASN. 1 DER encoding of KeyBlock is:
30 14 04080123456789ABCDEF 04089999999999999999.
When the PKCS#1 pad mode is used, the following validity checks are carried out:
For a validation operation (Validate a Certificate, Validate a Signature):
· The length of the data to be validated is equal to the length (in bytes) of the modulus of the key to be used for the validation. If not, error code 76 is returned.
· The first byte of the clear data block is 00. If not, error code 77 is returned.
· The second byte of the clear data block is 01. If not, error code 77 is returned.
· Subsequent bytes consist of at least 8 bytes of binary 1s, followed by a zero byte. If not, error code 77 is returned.
· The hash algorithm object identifier corresponds to that of the identifier of the hash algorithm supplied in the command message. If not, error code 79 is returned.
· The digest is compared with the hash of the supplied data. If the two values are not equal, error code 02 is returned.
For a generation operation (Generate a Signature):
· The length (in bytes) of the data block D is at most m-11 (where m is the length, in bytes, of the modulus of the key to be used). If not, error code 76 is returned.
For an import key operation (Import a DES Key):
· The length of the imported key block is equal to the length (in bytes) of the modulus of the secret key to be used to decrypt the block. If not, error code 76 is returned.
· The first byte of the clear data block is 00 and the second byte is 02. If not, error code 77 is returned.
· Subsequent bytes consist of at least 8 bytes of random non-zero bytes, followed by a zero byte. If not, error code 77 is returned.
· The data block D conforms to the ASN.1 encoding rules. If not, error code 77 is returned.
For an export key operation (Export a DES Key):
· The length (in bytes) of the data block D is at most m-11 (where m is the length, in bytes, of the modulus of the key to be used). If not, error code 76 is returned.
02 = OAEP
Optimal Asymmetric Encryption Padding (OAEP) was introduced in PKCS#1 v2.0, as an improvement on the original, simple PKCS#1 v 1.5 method described above. OAEP requires four additional parameters:
·
Mask Generation Function
01 = MGF1
·
MGF Hash Function
01 = SHA1
·
OAEP Encoding Parameters Length
Specifies the length of the encoding parameters.
·
OAEP Encoding Parameters
The host may optionally supply a set of OAEP encoding parameters. If OAEP
padding is used, but no Encoding Parameters are required, then OAEP Encoding
Parameters Length should be “00”, and this field will be empty.
The OEAP fields are encoded according to PKCS#1 version 2.0 section 11.2.1 (see Reference 3 at the beginning of this manual). The HSM does not interpret or validate the contents of this field, it applies the Hash Algorithm to it and feeds the result into the OAEP process.
Key Block Type
01 = Standard Key Block Type
02 = Key Block Template
03 = Unformatted Key Block
This parameter specifies the type of data structure used to carry a DES key.
01 = Standard Key Block Type
This is the standard key block format as supported in the Model 7 HSM. The format is as shown in the PKCS#1v1.5 padding scheme above, i.e.:
KeyBlock :: SEQUENCE {
deskey OCTET STRING,
iv OCTET STRING SIZE (8)
}
02 = Key Block Template
This method supports any valid ASN.1 DER encoded Key Block format, which may consist of arbitrary encoded data with a Key Block field containing a plain-text DES Key of single, double or triple length.
The Host must supply a block of data, which conforms to ASN.1 DER encoding, with an indication of the position in which the key is located (DES Key Offset). The key data area of the template must be zero filled.
For key export, the HSM overlays the zero filled data with a DES or Triple DES key as appropriate.
For key import, the HSM verifies that the decrypted data conforms to the specified padding, than check that the supplied template matches the decoded data. It then extracts the data at the position indicated by the DES Key Offset, and use this as the key for import.
An example Key Block structure and template is shown below. This structure is used for Diebold Remote Key Transport.
Example Key Block Structure
RecipientInfo ::=
SEQUENCE {
version
Version,
issuerAndSerialNumber
IssuerAndSerialNumber,
keyEncryptionAlgorithm
KeyEncryptionAlgorithmIdentifier,
keyOrKeyBlock KeyOrKeyBlock}
KeyOrKeyBlock ::=
CHOICE {
encryptedKey
EncryptedKey
EncryptedKeyBlock encryptedKeyBlock}
EncryptedKey ::= OCTET STRING
EncryptedKeyBlock ::= ENCRYPTED KeyBlock – a BIT STRING
KeyBlock ::= SEQUENCE {
version Version, -- 0
originatorIssuerAndSerialNumber IssuerAndSerialNumber,
keyId KeyId,
key Key,
keyUsage [0] KeyUsage OPTIONAL}
Example Key Block Template
A key block template corresponding to the above structure is shown below:
30 61 KeyBlock
02 01 00 version = 0
30 47 originatorIssuerAndSerialNumber
30 42 issuer
31 10
30 0E
06 03 55 04 03 attributeType = commonName
13 07 52 6F 6F 74 20 43 41 attributeValue = “Root CA”
31 2E
30 2C
06 03 55 04 0A attributeType = organizationName
13 25 attributeValue = “Initial Certificate
Authority Company”
49 6E 69 74 69 61 6C 20 43 65 72 74 69
66 69 63 61 74 65 20 41 75 74 68 6F 72
69 74 79 20 43 6F 6D 70 61 6E 79
02 01 02 serialNumber = 2
02 01 00 keyIdentifier = 0, A key
04 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 key
The Key Block Template requires four additional parameters:
·
Key Block Template Length
The length of the key block data
·
Key Block Template
The actual template, as shown in the example above
·
DES Key Length
The length of the DES key within the key block.
·
DES Key Offset
Offset to the location of the DES key within the key block. In the example
above this points to the beginning of the block of zeros shown in bold
italics and the offset is 83 (decimal) bytes.
Another two optional parameters support a check value. The Check Value is not required for the Diebold implementation, but provides flexibility to support applications that require a check value in the key block.
·
Check Value Length
Length in bytes of the check value field. This field should be 0 if no
check value is used.
·
Check Value Offset
Offset to the location of the check value within the key block.
03 = Unformatted Key Block
This is the format required for remote ATM key loading for NCR ATMs. It consists of only 8, 16 or 24 bytes of key data (for a single, double or triple length DES key), with no encoding or additional information.
Public Key Encoding
01 = DER encoding for ASN.1 public key (INTEGER uses unsigned representation)
02 = DER encoding for ASN.1 public key (INTEGER uses 2’s complement representation)
An ASN.1 RSAPublicKey has the following definition:
RSAPublicKey :: = SEQUENCE {
modulus INTEGER, - - n
publicExponent INTEGER - - e }
HSM firmware prior to version 2.01/6.01 used an unsigned representation for INTEGER values in the RSAPublic key (Public key encoding 01). Version 2.01/6.01 introduced a second Public Key Encoding Type (02) which uses a 2’s complement representation for INTEGER values.
A public key Modulus represented in 2’s complement form will always have a leading 00 byte, the most significant bit of the second byte will always be ‘1’. A public key modulus represented in unsigned form will never begin with a 00 byte, the most significant bit of the modulus will always be ‘1’.
|
Sequence Identifier |
Byte Length |
Integer Identifier |
Modulus length |
Modulus |
Integer Identifier |
Exponent length |
Exponent |
Example:
For a 1024 bit modulus with an exponent of 03:
|
X'30 |
X'81 X'86 |
X'02 |
X'81 X'80 |
128 byte Modulus |
X'02 |
X'01 |
X'03 |
Where:
· X'30 is the identifier specifying the start of a sequence.
·
X'81 X'86 specifies the length of the following
field in bytes:
- If value is between X'01 and X'7F then this directly specifies length
of following field in bytes (1byte to 127 bytes).
- If value is greater than X'80 it defines the number of bytes to define
the length of the next field in the above example X'81 therefore length
i.e. 1 byte (X'86 - 134 bytes).
· X'02 is the identifier specifying the start of the integer.
· X'81 X'80 specifies the length of the following field in bytes using the same definition as above (128 Bytes).
· The modulus in this example is 128 bytes.
· X'02 is the identifier specifying the start of the second integer.
· X'01 specifies the length of the following field in bytes using the same definition as above (1 Byte).
· X'03 is the value of the exponent.