The RSAEncryption public-key encryption algorithm, defined in PKCS #1 [11], is used for DEK and MIC encryption when asymmetric key management is employed. The character string "RSA" within a "MIC- Info:" or "Key-Info:" header field indicates the use of this algorithm.
All PEM implementations supporting asymmetric key management shall support this algorithm.
As described in PKCS #1, all quantities input as data values to the RSAEncryption process shall be properly justified and padded to the length of the modulus prior to the encryption process. In general, an RSAEncryption input value is formed by concatenating a leading NULL octet, a block type BT, a padding string PS, a NULL octet, and the data quantity D, that is,
RSA input value = 0x00 || BT || PS || 0x00 || D.
To prepare a DEK for RSAEncryption, the PKCS #1 "block type 02" encryption-block formatting scheme is employed. The block type BT is a single octet containing the value 0x02 and the padding string PS is one or more octets (enough octets to make the length of the complete RSA input value equal to the length of the modulus) each containing a pseudorandomly generated, non-zero value. For multiple recipient messages, a different, pseudorandom padding string should be used for each recipient. The data quantity D is the DEK itself, which is right-justified within the RSA input such that the last (or rightmost displayed, if one thinks in terms of the "print" representation) octet of the DEK is aligned with the right-most, or least- significant, octet of the RSA input. Proceeding to the left, each of the remaining octets of the DEK, up through the first (or left-most displayed) octet, are each aligned in the next more significant octet of the RSA input.
To prepare a MIC for RSAEncryption, the PKCS #1 "block type 01" encryption-block formatting scheme is employed. The block type BT is a single octet containing the value 0x01 and the padding string PS is one or more octets (enough octets to make the length of the complete RSA input value equal to the length of the modulus) each containing the value 0xFF. The data quantity D is comprised of the MIC and the MIC algorithm identifier which are ASN.1 encoded as the following sequence.
SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
The ASN.1 type AlgorithmIdentifier is defined in X.509 as follows.
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
An RSA input block is encrypted using the RSA algorithm with the first (or left-most) octet taken as the most significant octet, and the last (or right-most) octet taken as the least significant octet. The resulting RSA output block is interpreted in a similar manner.
When RSAEncryption is used to encrypt a DEK, the second argument in a "MIC-Info:" header field, an asymmetrically encrypted DEK, is represented using the printable encoding technique defined in Section 4.3.2.4 of RFC 1421 [12].
When RSAEncryption is used to sign a MIC, the third argument in a "MIC-Info:" header field, an asymmetrically signed MIC, is represented using the printable encoding technique defined in Section 4.3.2.4 of RFC 1421.