18

PKCS#1 is one of the most used (de-facto) standard for real-world use of RSA.

That's for good reasons: PKCS#1 is well thought, versatile, understandable, has been relatively stable for over two decades, and remains practically secure in its original form, contrary to some other standardized uses¹ of RSA. The major upgrade to PKCS#1, from v1 to v2, circa 1998, introduced OAEP encryption with stronger security argument, and improved protection against timing and padding oracle attacks of a decryption device. V2.1 introduced PSS signature and multi-prime RSA.

PKCS#1² was updated from v2.1³ to v2.2⁴ in October 2012, and published by February 2013. Changes include:

  • incorporation of erratas (last updated in 2005) to PKCS#1 v2.1 (last updated in 2002);
  • additional hashes of the SHA-2 family, including SHA-512/256, SHA-224, and SHA-512/224;
  • corresponding algorithm identifiers;
  • corresponding test hex constants;
  • availability only in PDF format with permission to copy disabled (but who automatically compares to test hex constants anyway?);
  • updated legalese on the text (which remains worthless if taken literally, as it is of the form "permission to copy is granted if" followed by a condition that is false independently of what the copier does);
  • in the ASN Module:
    • PKCS-1 was changed to PKCS-1v2-2 and pkcs-1(1) was changed to pkcs-1v2-2(2);
    • in the IMPORTS (..) FROM NIST-SHA2 section, modules(0) sha2(1) was changed to hashAlgs(2).

What's the meaning, purposes and consequences of these changes in the ASN Module?

Are there any other technical changes? Is yes, which, and what's their meaning, purposes and consequences?

¹ The ISO/IEC 9796[-1] signature scheme was withdrawn for lack of security under chosen-message attack. The first scheme in ISO/IEC 9796-2 lives with a mild weakness under such condition. That's fixed with scheme 2, which is essentially PSS-R, and scheme 3 which is a variant functionally substitutable to the broken scheme 1.

² Archive page of the website for RSA Laboratories.

³ Copy as published by RSA Security Inc. Public-Key Cryptography Standards.

⁴ Copy as published by EMC Corporation Public-Key Cryptography Standards.

fgrieu
  • 149,326
  • 13
  • 324
  • 622

1 Answers1

11

It's merely an update to align the hashing algorithms. There are in fact no real "consequences" which might have any negative impact as the v2.1 schemes are still supported. The positive impact is the alignment with FIPS 180-4.

To quote the revision history at page 59 of "PKCS #1 v2.2: RSA Cryptography Standard":

Version 2.2 updates the list of allowed hashing algorithms to align them with FIPS 180-4, therefore adding SHA-224, SHA-512/224 and SHA-512/256.

The following substantive changes were made:

— Object identifiers for sha224WithRSAEncryption, sha512-224WithRSAEncryption and sha512-256WithRSAEncryption were added.

This version continues to support the schemes in version 2.1

Community
  • 1
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240