RSA Cryptosystem Functions

The RSA cryptosystem provides the following functions:

·         Generation of variable-length RSA keys.

·         Validation of public key certificates.

·         Generation and validation of digital signatures.

·         Secure DES key management using RSA public master keys.

·         Generation of hash values.

These functions are implemented by the following host commands:

·         Generate an RSA Key Set (EI)

·         Load a Secret Key (EK)

·         Translate a Secret Key from the Old LMK to a New LMK (EM)

·         Generate a MAC on a Public Key (EO)

·         Verify a MAC on a Public Key (EQ)

·         Validate a Certificate and Generate a MAC on its Public Key (ES)

·         Translate a MAC on a Public Key (EU)

·         Generate a Signature (EW)

·         Validate a Signature (EY)

·         Import a DES Key (GI)

·         Export a DES Key (GK)

·         Hash a Block of Data (GM)

Details of these commands can be found in the Host Command Reference Manual.

Common Parameters

Within these functions certain common parameters are defined as follows:

DES Key Type

The DES Key Type field is 4 digits. The first two digits indicate the LMK pair used to encrypt the key, the last two digits indicate the LMK variant. For example:

·         If the DES Key Type is 0600, LMK pair 06-07 is used (no variant).

·         If the DES Key Type is 3007, variant 7 of LMK pair 30-31 is used.

Signature Algorithm

01 =     RSA

Encryption Identifier

01 =     RSA

Hash Identifier

Hash Identifier

01 = SHA-1, produces a 20 byte result.

02 = MD5, produces a 16 byte result.

03 = ISO 10118-2, produces a 16 byte result.

04 = No Hash

05 = SHA-224

06 = SHA-256

07 = SHA-384

08 = SHA-512

01 = SHA-1 hashing algorithm

The ASN.1 DER object identifier for this hashing function is:

{iso(1) identified-organisation(3) oiw(14) secsig(3) 2 26}

which encodes as:

2B 0E 03 02 1A

02 = MD5 hashing algorithm

The ASN.1 DER object identifier for this hashing function is:

{iso(1) member-body(2) US(840) rsadsi(113549) digest Algorithm(2) 5 }

which encodes as:

2A 86 48 86 F7 0D 02 05

03 = ISO 10118-2 hashing algorithm

The ASN.1 DER object identifier for this hashing function is:

{2 10 67 4}

which encodes as:

5A 43 04

04 = No hash

The no-hash option can be used when the HSM provides signature generation or validation, or certificate validation, on data that is hashed outside the HSM.

If the no-hash option is chosen, the data that is provided in the Validate a Certificate, Generate a Signature and Validate a Signature commands is not modified in any way by the HSM, so it must be precisely the data in the plain signature block (which depends on the pad mode selected by the Pad Mode Identifier). It is the responsibility of the Host application to ensure that the precise data to be included in the signature block is supplied in the command.

05 = SHA-224 hashing algorithm

The ASN1.DER object identifier for this hashing function is:

     id-SHA224 OBJECT IDENTIFIER ::=

       {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3)

nistalgorithm(4) hashalgs(2) sha224(4) }

which encodes as:

0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04

06 = SHA-256 hashing algorithm

The ASN1.DER object identifier for this hashing function is:

     id-SHA256 OBJECT IDENTIFIER ::=

       {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3)

nistalgorithm(4) hashalgs(2) sha256(1) }

which encodes as:

0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01

07 = SHA-384 hashing algorithm

The ASN1.DER object identifier for this hashing function is:

     id-SHA384 OBJECT IDENTIFIER ::=

       {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3)

nistalgorithm(4) hashalgs(2) sha384(2) }

which encodes as:

0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02

08 = SHA-512 hashing algorithm

The ASN1.DER object identifier for this hashing function is:

     id-SHA512 OBJECT IDENTIFIER ::=

       {joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3)

nistalgorithm(4) hashalgs(2) sha512(3) }

which encodes as:

0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03

Example:

If the SHA-1 algorithm is used to hash the data and the resultant hash value is:

0123456789ABCDEF0123456789ABCDEF01234567

and if the PKCS#1 pad mode is used, the data to be provided must be the complete ASN.1 DER encoded DigestInfo, which is:

30 21 300906052B0E03021A0500 04140123456789ABCDEF0123456789ABCDEF01234567.

Note that when using the no-hash mode, the HSM checks that the DER encoded DigestInfo syntax is correct.  If there is a digest info syntax error, the HSM returns error code 74.

Pad Mode Identifier

01 =     PKCS#1 v1.5

02 = OAEP

The PKCS#1 standard (see References 3 and 4 at the beginning of this manual) defines the padding method to be used before operating with a public or secret RSA key.

01 = PKCS#1 v1.5

This simple padding scheme was introduced in the original PKCS#1 specification. The data to be encrypted or decrypted is padded as follows:

00 BT PS 00 D, where:

·         BT is a single byte indicating the block type. BT is 01 for a secret key operation; 02 for a public key operation.

·         PS is a padding string consisting of bytes FF....FF for block type 01, random non-zero bytes for block type 02. PS must contain at least 8 bytes.

·         D is the data block.

·         The total length of the padded block is equal to the length (in bytes) of the RSA key modulus

The data block D is the ASN.1 encoded message digest, or DES key (depending on the command used), as follows:

DigestInfo ::                              SEQUENCE {

digestAlgorithm                                    DigestAlgorithmldentifier,

digest                                       OCTET STRING

}

DigestAlgorithmldentifier ::       SEQUENCE {

algorithm                                  OBJECT IDENTIFIER,

parameters                               NULL

}

KeyBlock ::                               SEQUENCE {

deskey                                      OCTET STRING,

iv                                              OCTET STRING SIZE (8)

}

Example 1:

Assume that the SHA-1 algorithm is used to produce the 20-byte digest:

0123456789ABCDEF0123456789ABCDEF01234567.

The DigestAlgorithmldentifier for SHA-1 is:

30 09 06 05 2B0E03021A 05 00.

Thus, the ASN. 1 DER encoded DigestInfo is:

30 21 300906052B0E03021A0500 04140123456789ABCDEF0123456789ABCDEF01234567

Example 2:

If a single-length DES key 0123456789ABCDEF and IV = 9999999999999999 are used, the ASN. 1 DER encoding of KeyBlock is:

30 14 04080123456789ABCDEF 04089999999999999999.

When the PKCS#1 pad mode is used, the following validity checks are carried out:

For a validation operation (Validate a Certificate, Validate a Signature):

·         The length of the data to be validated is equal to the length (in bytes) of the modulus of the key to be used for the validation.  If not, error code 76 is returned.

·         The first byte of the clear data block is 00.  If not, error code 77 is returned.

·         The second byte of the clear data block is 01.  If not, error code 77 is returned.

·         Subsequent bytes consist of at least 8 bytes of binary 1s, followed by a zero byte. If not, error code 77 is returned.

·         The hash algorithm object identifier corresponds to that of the identifier of the hash algorithm supplied in the command message. If not, error code 79 is returned.

·         The digest is compared with the hash of the supplied data.  If the two values are not equal, error code 02 is returned.

For a generation operation (Generate a Signature):

·         The length (in bytes) of the data block D is at most m-11 (where m is the length, in bytes, of the modulus of the key to be used).  If not, error code 76 is returned.

For an import key operation (Import a DES Key):

·         The length of the imported key block is equal to the length (in bytes) of the modulus of the secret key to be used to decrypt the block.  If not, error code 76 is returned.

·         The first byte of the clear data block is 00 and the second byte is 02.  If not, error code 77 is returned.

·         Subsequent bytes consist of at least 8 bytes of random non-zero bytes, followed by a zero byte.  If not, error code 77 is returned.

·         The data block D conforms to the ASN.1 encoding rules.  If not, error code 77 is returned.

For an export key operation (Export a DES Key):

·         The length (in bytes) of the data block D is at most m-11 (where m is the length, in bytes, of the modulus of the key to be used).  If not, error code 76 is returned.

02 = OAEP

Optimal Asymmetric Encryption Padding (OAEP) was introduced in PKCS#1 v2.0, as an improvement on the original, simple PKCS#1 v 1.5 method described above. OAEP requires four additional parameters:

·         Mask Generation Function
01 = MGF1

·         MGF Hash Function
01 = SHA1

·         OAEP Encoding Parameters Length
Specifies the length of the encoding parameters.

·         OAEP Encoding Parameters
The host may optionally supply a set of OAEP encoding parameters. If OAEP padding is used, but no Encoding Parameters are required, then OAEP Encoding Parameters Length should be 00, and this field will be empty.

The OEAP fields are encoded according to PKCS#1 version 2.0 section 11.2.1 (see Reference 3 at the beginning of this manual). The HSM does not interpret or validate the contents of this field, it applies the Hash Algorithm to it and feeds the result into the OAEP process.

Key Block Type

01 = Standard Key Block Type

02 = Key Block Template

03 = Unformatted Key Block

This parameter specifies the type of data structure used to carry a DES key.

01 = Standard Key Block Type

This is the standard key block format as supported in the Model 7 HSM. The format is as shown in the PKCS#1v1.5 padding scheme above, i.e.:

KeyBlock ::                   SEQUENCE {

deskey                          OCTET STRING,

iv                                  OCTET STRING SIZE (8)

}

02 = Key Block Template

This method supports any valid ASN.1 DER encoded Key Block format, which may consist of arbitrary encoded data with a Key Block field containing a plain-text DES Key of single, double or triple length.

The Host must supply a block of data, which conforms to ASN.1 DER encoding, with an indication of the position in which the key is located (DES Key Offset). The key data area of the template must be zero filled.

For key export, the HSM overlays the zero filled data with a DES or Triple DES key as appropriate.

For key import, the HSM verifies that the decrypted data conforms to the specified padding, than check that the supplied template matches the decoded data. It then extracts the data at the position indicated by the DES Key Offset, and use this as the key for import.

An example Key Block structure and template is shown below. This structure is used for Diebold Remote Key Transport.

Example Key Block Structure

RecipientInfo ::=                                   SEQUENCE {
  version                                               Version,
  issuerAndSerialNumber                        IssuerAndSerialNumber,
  keyEncryptionAlgorithm                        KeyEncryptionAlgorithmIdentifier,

  keyOrKeyBlock                                    KeyOrKeyBlock}

KeyOrKeyBlock ::=                                CHOICE {
  encryptedKey                                       EncryptedKey

  EncryptedKeyBlock                                encryptedKeyBlock}

EncryptedKey ::=                                   OCTET STRING

EncryptedKeyBlock ::=                            ENCRYPTED KeyBlock a BIT STRING

KeyBlock ::=                                         SEQUENCE {

  version                                               Version, -- 0

  originatorIssuerAndSerialNumber          IssuerAndSerialNumber,

  keyId                                                  KeyId,

  key                                                     Key,

  keyUsage [0]                                       KeyUsage OPTIONAL}

Example Key Block Template

A key block template corresponding to the above structure is shown below:

30 61                                                  KeyBlock

 02 01 00                                              version = 0

  30 47                                                originatorIssuerAndSerialNumber

   30 42                                               issuer

    31 10

     30 0E

      06 03 55 04 03                                          attributeType = commonName

       13 07 52 6F 6F 74 20 43 41                      attributeValue = Root CA

    31 2E

     30 2C

      06 03 55 04 0A                                          attributeType = organizationName

       13 25                                           attributeValue = Initial Certificate

                                                                     Authority Company

        49 6E 69 74 69 61 6C 20 43 65 72 74 69

        66 69 63 61 74 65 20 41 75 74 68 6F 72

        69 74 79 20 43 6F 6D 70 61 6E 79

    02 01 02                                           serialNumber = 2

  02 01 00                                             keyIdentifier = 0, A key

  04 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00       key

The Key Block Template requires four additional parameters:

·         Key Block Template Length
The length of the key block data

·         Key Block Template
The actual template, as shown in the example above

·         DES Key Length
The length of the DES key within the key block.

·         DES Key Offset
Offset to the location of the DES key within the key block. In the example above this points to the beginning of the block of zeros shown in bold italics and the offset is 83 (decimal) bytes.

Another two optional parameters support a check value. The Check Value is not required for the Diebold implementation, but provides flexibility to support applications that require a check value in the key block.

·         Check Value Length
Length in bytes of the check value field. This field should be 0 if no check value is used.

·         Check Value Offset
Offset to the location of the check value within the key block.

03 = Unformatted Key Block

This is the format required for remote ATM key loading for NCR ATMs. It consists of only 8, 16 or 24 bytes of key data (for a single, double or triple length DES key), with no encoding or additional information.

Public Key Encoding

01 =     DER encoding for ASN.1 public key (INTEGER uses unsigned representation)

02 =     DER encoding for ASN.1 public key (INTEGER uses 2s complement representation)

An ASN.1 RSAPublicKey has the following definition:

RSAPublicKey :: =         SEQUENCE {

modulus                       INTEGER, - - n

publicExponent            INTEGER - - e }

HSM 8000 base software prior to version 1.1a used an unsigned representation for INTEGER values in the RSAPublic key (Public key encoding 01). Version 1.1a introduced a second Public Key Encoding  Type (02) which uses a 2s complement representation for INTEGER values.

A public key Modulus represented in 2s complement form will always have a leading 00 byte, the most significant bit of the second byte will always be 1. A public key modulus represented in unsigned form will never begin with a 00 byte, the most significant bit of the modulus will always be 1.

To avoid interoperability problems with non-Thales HSMs, it is recommended to use Public Key Encoding 02.

Examples:

Example:

1024 bit modulus with an exponent of 03 using Public Key Encoding 01:

Where:

• · X'30 is the identifier specifying the start of a sequence.

• · X'81 X'86 specifies the length of the following field in bytes:

- If value is between X'01 and X'7F then this directly specifies length of following field in bytes (1byte to 127 bytes).

- If value is greater than X'80 it defines the number of bytes to define the length of the next field in the above example X'81 therefore length i.e. 1 byte (X'86 - 134 bytes).

•  X'02 is the identifier specifying the start of the integer.

•  X'81 X'80 specifies the length of the following field in bytes using the same definition as above (128 Bytes).

• The modulus in this example is 1024 bits. For Public Key Encoding 01 this is represented in unsigned form. The resulting field is 128 bytes.

•  X'02 is the identifier specifying the start of the second integer.

•  X'01 specifies the length of the following field in bytes using the same definition as above (1 Byte).

•  X'03 is the value of the exponent.

1024 bit modulus with an exponent of 03 using Public Key Encoding 01:

The 1024 bits of the modulus will

Where:

•  X'30 is the identifier specifying the start of a sequence.

•  X'81 X'87 specifies the length of the following field in bytes. Using the same definition as described in   example above, X'87 - 135 bytes.

•  X'02 is the identifier specifying the start of the integer.

•  X'81 X'81 specifies the length of the following field in bytes using the same definition as above (129 Bytes).

•  The modulus in this example is 1024 bits. For Public Key Encoding 02 this is represented in 2s   complement form. The resulting field is 129 bytes. The first byte will always be X00.

•  X'02 is the identifier specifying the start of the second integer.

•  X'01 specifies the length of the following field in bytes using the same definition as above (1 Byte).

•  X'03 is the value of the exponent.