V O L U M E
N U M B E R
S P R I N G
1 9 9 6
R S A
L A B O R A T O R I E S ’
The technical newsletter of RSA Laboratories, a division of RSA Data
the HMAC Construction
and other data to provide evidence of correct re-
covery and to thwart certain attacks.
Masked block — a block that results when the for-
matted block is masked to hide patterns.
Encrypted block — the block that results after the
formatted or masked block has been asymmetrically
For readers interested in some of the security issues
involved in using RSA, an earlier CryptoBytes ar-
ticle entitled The Secure Use of RSA  contains
much useful information.
The Public Key Cryptography Standard #1 was de-
signed by the cryptographers at RSA Data Secu-
rity, Inc. .
PKCS #1 describes a method to
RSA encrypt a secret symmetric key. The format-
ted block is passed directly to the RSA encrypt
process. It uses the following method (with ratio-
1. A leading 0x00 is in the block to be RSA en-
crypted, ensuring the encryption block is less
than the RSA modulus.
2. A block type encoded octet of 0x02 follows the
leading 0x00, indicating the block is to be en-
crypted using a public key.
3. At least eight non-zero pseudorandom padding
octets (bytes) are appended to the right after
the block type octet. The padding octets should
be generated independently for each RSA en-
cryption, especially if the same key is being en-
crypted. This thwarts Hastad’s attack  and
allows use of a low value (e.g., 3) for the public
Don B. Johnson and Stephen M. Matyas
IBM Cryptography Center of Competence, MS P330
522 South Road
When public key cryptography was invented, one
of its uses was identified as the secure transport of
secret symmetric keys. The objectives of such a key
transport mechanism keep evolving as attacks are
identified, hidden assumptions are revealed, proofs
of security are given, and additional capability is
needed. The process continues in this article.
W e trace the evolution of some asymmetric key
transport mechanisms, starting with the method in
PKCS #1 . We then discuss, in historical order,
two masking techniques developed by IBM cryp-
tographers, and the method currently under study
in ANSI draft standard X9.44 RSA Key Transport.
W e then give ideas that may be useful when using
elliptic curve cryptography, where the size of the
block is typically much less than that used with
other algorithms, for example, RSA.
We will use the following terminology:
Formatted block — a block of data passed as input
to the methods. It contains a secret symmetric key
Evolution and Enhancements
(continued on page 3)
Don Johnson, a senior programmer at IBM, is an architect of