[Cryptech Tech] Specifications and test vectors for RSA

[Peter Gutmann]

Rob Austein <sra at hactrn.net> writes:

>* Do we want RFC 2437 (PKCS #1 2.0) or RFC 3447 (PKCS #1 2.1)? Some
>  references from other specifications point at one, some point at the other,
>  much of this is just due to relative ages of the specs but it's not
>  immediately obvious that everything tracked.

It doesn't matter, the only thing that gets used in practice is PKCS #1 v1.5,
so take whatever version is easiest to follow (I find both 2437 and 3447, with
their P1363-inspired notation and jargon, marvellous obfuscations of what's
actually going on, RFC 2313 is a much clearer reference).

>* Which encoding algorithms do we need to support for DNSSEC and RPKI? DNSSEC
>  seems fairly clear about PKCS1-v1_5, modulo the leading-zero question above.
>  RPKI doesn't nail this down quite so tightly; as a practical matter I think
>  what's in use is PKCS1-v1_5, but that's not quite the same thing.

PKCS #1 v1.5.  OAEP and PSS (and any other schemes) are pretty much
irrelevant, I've only ever had one use of OAEP in my code and that was for
Windows Vista DRM (and HDCP).  Since it's unlikely that the Cryptech product
will be used for Windows DRM, there's no need to support OAEP.

>Also, Joachim sends a plea for test vectors, which he has not been able to
>find.   Given the part of RSA that he thinks he's doing, this means: please
>supply sample input to the RSA process with padding already done, along with
>the corresponding expected output for a supplied RSA keypair.

If you're using cryptlib as the HAL, you can just run the software
implemetation alongside the hardware.  Break in the debugger at whatever point
you like, look at the values, feed in any data you need to...

Peter.