All geek questions in one place

How to use Bouncy Castle OAEPEncoding for RSA (easy API)

I played with Bouncy Castle by RSA (lightweight API) and got the basics. Looking at their spec for the implementation of the JCE provider, I noticed that various add-on schemes can be used with RSA. From what I understand, the default is empty fill. So I started learning about OAEP add-ons, especially OAEPWithSHA512AndMGF1Padding . A Google search didn’t help much, so I started digging through the BC source code and found the org.bouncycastle.jce.provider.JCERSACipher class. But, looking at initFromSpec , I quickly started to get sick ... In particular, I don’t understand which last two parameters can be passed to the OAEPEncoding constructor. According to API BC API OAEPEncoding , which allows four parameters to accept Digest mgf1Hash and byte[] encodingParams as the last two arguments. This put me on my guard because I have no idea how to hold on to an instance of the mask generation algorithm and I don’t understand the purpose behind the byte array called encodingParams . What should be the values ​​of arg3 and arg4 in the code below?

 RSABlindedEngine rsa = new RSABlindedEngine(); SHA512Diges sha512 = new SHA512Digest(); Digest arg3 = ???; byte[] arg4 = ???; AsymmetricBlockCipher cipher = new OAEPEncoding(rsa, sha512, arg3, arg4);
+4
source share
1 answer

OAEP is defined by PKCS # 1, Section 7.1 .

OAEP requires the following parameters:

  • hash function;
  • "mask generation function", which can be considered as a hash function with unlimited output length;
  • a "label" (arbitrary sequence of bytes).

There is only one defined mask generation function, called MGF1, and this function is built on top of the hash function. So your arg3 is the hash function that MGF1 will use. It may be the same hash function than the first (I'm not sure if it can be the same Digest instance in the Bouncy Castle API, I am mathematically speaking here). It could be another hash function.

A label can be used as a kind of difference between instances (for example, you can encrypt data with an explicit “target” encoded in the label). This is convenient in some mathematical proofs, but right now PKCS # 1 recommends using an empty string and doing it. For the purposes described in PKCS # 1, an empty label is no worse than any.

The decryption process must know these parameters in order to work. Usually they encode them in the structure that comes with the encrypted message and says: "it is encrypted using RSA / OAEP"; what is happening in the CMS .

If in doubt, use the same hash function as the first parameter for MGF1, and use an empty label.

+6
source

Source: https://habr.com/ru/post/1313646/

More articles:


All Articles