N U M B E R
1 — S P R I N G
1 9 9 6
R S A L A B O R A T O R I E S ’
1 Asymmetric E c y t o :E o u i n nrpin vlto and Enhancements 2 Eio' Nt dtrs oe 7 PayWo and rd Mc Mn: i ro i t Two Simple Mc i ropayment Schemes 12 Message Authentication Using Hash Functions: the HMAC Construction 16 Announcements
The technical newsletter of RSA Laboratories, a division of RSA Data Security, Inc.
A sy m m e tri c E n c ry p ti o n : Ev o lu ti o n a n d En h a n c e m e n ts Don B. Johnson and Stephen M. Matyas
IBM Cryptography Center of Competence, MS P330 522 South Road Poughkeepsie, NY 12601 USA
When public key cryptography was invented, one o i su e w si e t f e a t es c r t a s o to f t ss a dniid s h eue rnpr f secret symmetric keys. The objectives of such a key transport mechanism keep evolving as attacks are identified, hidden assumptions are revealed, proofs of security are given, and additional capability is nee.Tepoescniusi ti atce edd h rcs otne n hs ril. W e trace the evolution of some asymmetric key transport mechanisms, starting with the method in PKCS #1 . We t e d s u s i h s o i a o d r, hn ics, n itrcl re two masking techniques developed by IBM cryptographers, and the method currently under study in ANSI draft standard X9.44 RSA Key Tr n p r . asot W e then give ideas that may be useful when using elliptic curve cryptography, where t e s z o t e h ie f h block is typically much less than that used with other algorithms, for example, RSA. W e w l u e t e f l o i g t rminology: il s h olwn e Formatted block — a b o k o d t p s e a i p t lc f aa asd s nu t temtos I cnan asc o h e h d . t o t i s e ret symmetric key Don Johnson, a senior programmer at IBM, is an architect of I M s c y t s l t o s a d t e c m a y s re re e t t v t A S B ’ r p o o u i n n h o p n ’ p snaie o NI X9.F.1 and X9.F.3, IEEE P1363, and the X/Open Crypto API workgroups. He can be contacted at dbj@VNET. . O M. IBM C Mike Matyas, a senior technical staff member at IBM, has participated in the design and development of all major IBM cryptographic products. He can be contacted at smatyas@ VNET . IBM. O M . C
and other data to provide evidence of correct recovery and to thwart certain attacks. Masked block — a b o k t a re u t w e t e f rlc ht sls hn h o matted block is masked to hide patterns. Encrypted block — t e b o k t a r s l s a t r t e h lc ht eut fe h formatted or masked block has been asymmetrically encrypted. F rr a e si t r s e i s m o t es c r t i s e o edr neetd n oe f h euiy sus involved in using RSA, an earlier CryptoBytes a rticle entitled The Secure Use of RSA  contains much useful information. PK C S # 1 The Public Key Cryptography Standard #1 was designed by the cryptographers at RSA Data Security, Inc. . PKCS #1 describes a method to RSA encrypt a secret symmetric key. The formatted block is passed directly to the RSA encrypt p cs.I ue tefloigmto (ihrto ro e s t s s h o l w n e h d w t a i nl) ae: 1 A leading 0x00 is in the block to be RSA en. crypted, ensuring the encryption block is less than the RSA modulus. 2 A block type encoded octet of 0x02 follows the . leading 0x00, indicating the block is to be e n cytduigapbi ky rpe sn ulc e. 3 At least eight non-zero pseudorandom padding . octets (bytes) are appended to the right after the block type octet. The padding octets should be generated independently for each RSA enc y t o ,e p c a l i t es m k yi b i ge rpin seily f h ae e s en n crypted. This thwarts Hastad’s attack  and a l w u eo al wv l e( . . 3 f rt ep b i los s f o au eg, ) o h ulc (otne o pg 3 cniud n ae )
CRYPTOGRAPHIC RESEARCH AND CONSULTATION
E d it o r’s N o t e
Readers of the Autumn 1995 issue of CryptoBytes will recall that we included two articles related to RSA encryption. In one, we concentrated on the secure use of conventional RSA and in the other we looked at a new proposal by Adi Shamir termed...