Presentation is loading. Please wait.

Presentation is loading. Please wait.

Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.

Published byOsbaldo Kinn Modified over 9 years ago

Similar presentations

Presentation on theme: "Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003."— Presentation transcript:

1 Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003

2 Outline New mechanisms: –RSA-PSS –RSA-KEM –RSA-KEGVER Algorithm strategy Next steps

3 RSA-PSS Probabilistic Signature Scheme by Mihir Bellare, Phillip Rogaway –Adapted for standardization Security related to RSA problem in random oracle model –Higher assurance for the long term Supported in PKCS #1 v2.1, IEEE P1363a Recommended by NESSIE

4 RSA-PSS & PKCS #11 RSA Laboratories encourages transition to RSA-PSS from PKCS #1 v1.5 –Convenient as SHA-256+ deployed PKCS #11 already supports RSA-PSS, but not yet with SHA-256+ Recommendation: –Add RSA-PSS/SHA-256+ in v2.20 –Discourage PKCS #1 v1.5/SHA-256+

5 RSA-KEM Key Encapsulation Mechanism from Victor Shoup, et al. Security related to RSA problem in r.o. model Supported in draft ANS X9.44; proposed to TLS, S/MIME working groups Recommended by NESSIE

6 RSA-KEM Operations Generate key & corresponding ciphertext using public key (n,e) –R = random[0,n-1] –C = R e mod n –K = KDF(R) Regenerate key from ciphertext using private key (n,d) –R = C d mod n –K = KDF(R)

7 RSA-KEM for Key Wrapping Wrap keying material KM using (n,e): –(C, KEK) = Generate ((n,e)) –C’ = Wrap (KEK, KM) Send (C,C’) Unwrap using (n,d): –KEK = Regenerate ((n,d), C) –KM = Unwrap (KEK, C’)

8 RSA-KEM & PKCS #11 RSA Laboratories encourages transition to RSA-KEM from PKCS #1 v1.5 –Convenient as AES deployed PKCS #11 doesn’t support RSA-KEM Recommendation: –Add RSA-KEM as PKCS #1 / TLS / S/MIME etc. updated

9 RSA-KEGVER Key generation with verifiable randomness by Ari Juels, Jorge Guajardo Key pairs generated with evidence of randomness –Publicly verifiable assurance that keys derived using a specified key generator –Prevents “trapdoors” (e.g., Crépeau-Slakmon), “weak” primes Research prototype stage

10 RSA-KEGVER & PKCS #11 RSA Laboratories encourages consideration for high-assurance tokens PKCS #11 supports RSA key generation, but not “evidence” Recommendation: –Add “evidence” field –Add RSA-KEGVER (or other methods) as research matures into products, standards

11 Summary of Recommendations RSA-PSS: Add SHA-256+ versions to PKCS #11 v2.20 RSA-KEM: Add as PKCS #1 etc. updated RSA-KEGVER: Add “evidence” field, add methods as research matures

12 Algorithm Strategy The bigger picture PKCS #11 supports a lot of algorithms already, and there are many more in other standards –IETF, NIST “schemes”, NESSIE, … How to decide which ones to add? ANS X9.44 strategy: Reflect & guide

13 Reflect & Guide Reflect: Support methods employed in industry, profiled for better security Guide: Add methods with better security, adapted to integrate with industry practice Examples in draft ANS X9.44: –Reflect: Existing TLS handshake –Guide: Revised handshake using RSA-KEM

14 Next Steps Choose new mechanisms –which ones? Draft text for PKCS #11 Consider the algorithm strategy Add other mechanisms to implement strategy

15 Contact Information Burt Kaliski RSA Laboratories bkaliski@rsasecurity.com +1 781 515 7073

Download ppt "Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003."

Similar presentations

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)

Hash Function Firewalls in Signature Schemes Burt Kaliski, RSA Laboratories IEEE P1363 Working Group Meeting June 2, 2000 (Rev. June 8, 2000)
RCDA: Recoverable Concealed Data Aggregation for Data Integrity in Wireless Sensor Networks Chien-Ming Chen, Yue-Hsun Lin, Ya-Ching Lin, Hung-Ming Sun.

RCDA: Recoverable Concealed Data Aggregation for Data Integrity in Wireless Sensor Networks Chien-Ming Chen, Yue-Hsun Lin, Ya-Ching Lin, Hung-Ming Sun.
Cryptography and Network Security

Cryptography and Network Security
Cryptographic Security Presented by: Josh Baker October 9 th, 2012 1CS5204 – Operating Systems.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)

Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
S/MIME v3.2 draft-ietf-smime-3850bis-00.txt draft-ietf-smime-3851bis-00.txt Sean Turner Blake Ramsdell.

S/MIME v3.2 draft-ietf-smime-3850bis-00.txt draft-ietf-smime-3851bis-00.txt Sean Turner Blake Ramsdell.
1 Introduction to Information Security 0368-3065, Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
Doc.: IEEE 802.11-12/0946r3 Submission August 2012 A proposal for next generation security in 802.11 built on changes in 802.11ac 23 August 2012 Slide.

Doc.: IEEE /0946r3 Submission August 2012 A proposal for next generation security in built on changes in ac 23 August 2012 Slide.

Similar presentations

Ads by Google