RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 3447, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", February 2003

Note: This RFC has been obsoleted by RFC 8017

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 3716
Status: Rejected
Type: Technical
Publication Format(s) : TEXT

Reported By: Jim Wigginton
Date Reported: 2013-09-02
Rejected by: Kathleen Moriarty
Date Rejected: 2015-03-31

Section 7.1.2 says:

   3. EME-OAEP decoding:

      a. If the label L is not provided, let L be the empty string. Let
         lHash = Hash(L), an octet string of length hLen (see the note
         in Section 7.1.1).

      b. Separate the encoded message EM into a single octet Y, an octet
         string maskedSeed of length hLen, and an octet string maskedDB
         of length k - hLen - 1 as

            EM = Y || maskedSeed || maskedDB.

      c. Let seedMask = MGF(maskedDB, hLen).

It should say:

   3. EME-OAEP decoding:

      a. If the label L is not provided, let L be the empty string. Let
         lHash = Hash(L), an octet string of length hLen (see the note
         in Section 7.1.1).

      b. Separate the encoded message EM into a single octet Y, an octet
         string maskedSeed of length hLen, and an octet string maskedDB
         of length k - hLen - 1 as

            EM = Y || maskedSeed || maskedDB.

      c. Check to see if Y is 00.

Notes:

Per <https://tools.ietf.org/html/rfc3447#page-21> the first byte of EM should be 00 so shouldn't RSAES-OAEP-DECRYPT / EME-OAEP decoding check that?
--VERIFIER NOTES--
Step g includes the check for Y = 0

If there is no octet with hexadecimal value 0x01 to separate PS
from M, if lHash does not equal lHash', or if Y is nonzero,
output "decryption error" and stop. (See the note below.)

Report New Errata