tags:

views:

28

answers:

1
+1  Q: 

How to properly use Bouncy Castle's OAEPEncoding for RSA (Lightweight API)

I've been playing around with Bouncy Castle's implementation of RSA (Lightweight API) and got the basics figured out. Looking at their spec for JCE provider implementation I noticed that different padding schemes can be used with RSA. From what I understand, by default null padding is used. So I began exploring OAEP padding, particularly OAEPWithSHA512AndMGF1Padding. Searching with Google wasn't very helpful so I began digging through BC's source code and found org.bouncycastle.jce.provider.JCERSACipher class. But looking at initFromSpec quickly gave me a headache... Specifically, I don't understand what the last two parameters that can be passed to the OAEPEncoding constructor are. According to BC's API the OAEPEncoding constructor that allows four parameters accepts Digest mgf1Hash and byte[] encodingParams as the last two arguments. This stumped me because I have no idea how to get a hold of an instance of the mask generation algorithm nor do I understand the purpose behind the byte array referred to as encodingParams. What should be the values of arg3 and arg4 in the code below?

RSABlindedEngine rsa = new RSABlindedEngine();
SHA512Diges sha512 = new SHA512Digest();
Digest arg3 = ???;
byte[] arg4 = ???;
AsymmetricBlockCipher cipher = new OAEPEncoding(rsa, sha512, arg3, arg4);
+1  A: 

OAEP is specified by PKCS#1, section 7.1.

OAEP requires the following parameters:

  • a hash function;
  • a "mask generation function" which can be thought of as a hash function with unlimited output length;
  • a "label" (an arbitrary sequence of bytes).

There is only one defined mask generation function, called MGF1, and that function is built over a hash function. So your arg3 is the hash function which MGF1 will use. It may be the same hash function than the first one (I am not sure it may be the same Digest instance in the Bouncy Castle API; I am talking mathematically here). It may also be another hash function.

The label can be used as a kind of distinguishers between instances (e.g. you could encrypt data with an explicit "purpose" encoded in the label). It is handy in some mathematical proofs, but right now PKCS#1 recommends using an empty string and be done with it. For the purposes described in PKCS#1, an empty label is as good as any.

The decryption process must know those parameters to operate. It is customary to encode them in the structure which comes along with the encrypted message and says "this is encrypted with RSA/OAEP"; that's how it happens in CMS.

When in doubt, use the same hash function as first parameter and for MGF1, and use an empty label.

Thomas Pornin  2010-06-23 13:17:30
Thank you. Clear and concise, as usual. Quick follow up question, do you know if it's a good idea to reuse the same instance of a Digest object? Right now I have three separate instances: two that I pass into the OAEPEncoding encoding constructor and one to RSADigestSigner (for signing).
Andrey  2010-06-23 13:33:53
@yamsha: it depends on the Bouncy Castle implementation. It is plausible that they do things in a natural, sequential order, in which case reusing the same Digest will work properly. It is equally plausible that creating new Digest instances has negligible cost. Just to be safe, I would recommend using distinct instances. But chances are that it has very little impact either way.
Thomas Pornin  2010-06-23 15:23:50

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java