pkcs_1_sha 256_with_rsa_encryption - dwilson2547/wiki_demo GitHub Wiki

PKCS #1 v1.5 with SHA-256 and RSA Encryption is a widely used digital signature scheme defined in RFC 8017 (formerly PKCS #1). It combines the SHA-256 hash function with the RSA public-key cryptosystem to provide message authentication, integrity, and non-repudiation.

Let’s break down all the parts of this algorithm in detail:

---

• 1. Overview of PKCS #1 v1.5 with SHA-256 and RSA
• 2. Key Components
  • A. RSA Key Pair
  • B. SHA-256 Hash Function
  • C. ASN.1 Encoding
• 3. Signing Process
  • Step 1: Hash the Message
  • Step 2: Encode the Hash
  • Step 3: Pad the Encoded Hash
  • Step 4: Sign the Padded Block
• 4. Verification Process
  • Step 1: Hash the Message
  • Step 2: Encode the Hash
  • Step 3: Decrypt the Signature
  • Step 4: Verify the Padding and Hash
• 5. Security Considerations
  • A. PKCS #1 v1.5 Padding
  • B. Hash Function Security
  • C. RSA Key Size
  • D. Side-Channel Attacks
• 6. Example Workflow
• 7. Summary Table
• 8. Comparison with Other Schemes

This scheme is used to sign messages using RSA and verify those signatures. The process involves:

• Hashing the message with SHA-256.
• Encoding the hash and other metadata into a structured format (ASN.1).
• Signing the encoded data using the RSA private key.
• Verifying the signature using the RSA public key.

---

• Private Key (( d )): A large integer used to sign messages.
• Public Key (( (e, n) )):
  • ( e ): Public exponent (usually 65537).
  • ( n ): Modulus, the product of two large primes ( p ) and ( q ).

• Converts the message into a fixed 256-bit (32-byte) hash.
• Ensures message integrity and provides a fixed-length input for RSA.

• The hash and metadata are encoded using ASN.1 (Abstract Syntax Notation One) to form a structured block.
• This block is padded and formatted according to PKCS #1 v1.5 before signing.

---

• Compute the SHA-256 hash of the message: [ h = \text{SHA-256}(m) ]
• The hash ( h ) is a 32-byte value.

• The hash ( h ) is embedded into an ASN.1 DER-encoded structure called DigestInfo:

  DigestInfo ::= SEQUENCE {
      digestAlgorithm AlgorithmIdentifier,
      digest OCTET STRING
  }

  • digestAlgorithm specifies the hash algorithm (SHA-256).
  • digest is the 32-byte SHA-256 hash.

• The DigestInfo structure is encoded as a DER (Distinguished Encoding Rules) byte string.

• The DigestInfo byte string is padded using PKCS #1 v1.5 padding:

  0x00 || 0x01 || 0xFF || ... || 0xFF || 0x00 || ASN.1 DER-encoded DigestInfo
  

  • 0x00: Ensures the result is a positive integer.
  • 0x01: Block type (1 for signature).
  • 0xFF: Padding bytes (at least 8 bytes).
  • 0x00: Separator between padding and DigestInfo.
  • ASN.1 DER-encoded DigestInfo: The encoded hash.

• The total length of the padded block must match the RSA modulus size (e.g., 256 bytes for a 2048-bit RSA key).

• The padded block is treated as a large integer and signed using the RSA private key: [ s = m^d \mod n ] where:

  • ( m ) is the padded block as an integer.
  • ( d ) is the private exponent.
  • ( n ) is the RSA modulus.

• The result ( s ) is the signature.

---

• The verifier computes the SHA-256 hash of the received message: [ h' = \text{SHA-256}(m) ]

• The verifier encodes ( h' ) into the same DigestInfo structure and DER-encodes it.

• The signature ( s ) is decrypted using the RSA public key: [ m' = s^e \mod n ] where:

  • ( e ) is the public exponent.
  • ( n ) is the RSA modulus.

• ( m' ) is the recovered padded block.

• The verifier checks that the recovered padded block ( m' ) has the correct PKCS #1 v1.5 padding format.
• The verifier extracts the DigestInfo from ( m' ) and compares it to the DigestInfo computed from the received message.
• If they match, the signature is valid.

---

• The padding scheme is deterministic and must be strictly followed.
• Incorrect padding can lead to security vulnerabilities (e.g., Bleichenbacher attacks).

• SHA-256 is currently considered secure, but weaker hash functions (e.g., SHA-1) are vulnerable to collision attacks.

• RSA keys should be at least 2048 bits for modern security. Smaller keys (e.g., 1024 bits) are considered insecure.

• Implementations must be constant-time to prevent timing attacks.

---

Let’s say Alice wants to sign a message ( m = )"Hello, Bob!":

1. Hashing:

   • Alice computes ( h = \text{SHA-256}("Hello, Bob!") ).

2. Encoding:

   • Alice encodes ( h ) into DigestInfo and DER-encodes it.

3. Padding:

   • Alice pads the DigestInfo using PKCS #1 v1.5 padding.

4. Signing:

   • Alice signs the padded block using her RSA private key to produce the signature ( s ).

5. Verification:

   • Bob receives ( m ) and ( s ).
   • Bob computes ( h' = \text{SHA-256}(m) ) and encodes it.
   • Bob decrypts ( s ) using Alice’s public key to recover the padded block.
   • Bob verifies the padding and compares the extracted DigestInfo with his computed DigestInfo.

---

Component	Description
RSA Private Key	Used to sign the padded block.
RSA Public Key	Used to verify the signature.
SHA-256	Hashes the message to ensure integrity and fixed-length input.
ASN.1 DER Encoding	Encodes the hash and metadata into a structured format.
PKCS #1 v1.5 Padding	Pads the encoded hash to match the RSA modulus size.
Signature	The result of RSA encryption of the padded block.

---

• PSS (Probabilistic Signature Scheme): A more modern alternative to PKCS #1 v1.5 padding, offering better security guarantees.
• ECDSA: Uses elliptic curve cryptography instead of RSA, providing equivalent security with smaller key sizes.

---

Would you like to explore the ASN.1 encoding or PSS padding in more detail, or compare this scheme with others like ECDSA?