RSA AlgorithmIdentifier of X.509 Certificate

By far, RSA is a most wide used cryptography algorithm. Both ITU-T X.509 and IETF PKIX WG define the RSA algorithm identifier, however, they are not identical.

ITU-T X.509[1] defines the algorithm as:

rsa ALGORITHM ::= {
    KeySize
    IDENTIFIED BY  id-ea-rsa
}

KeySize ::= INTEGER

id-ea-rsa OBJECT IDENTIFIER ::= {joint-iso-itu-t(2) ds(5)
algorithm(8) encryptionAlgorithm(1) rsa(1)}

While IETF PKIX WG[2] defines the algorithm as:
rsaPublicKey ALGORITHM-ID ::= { OID rsaEncryption PARMS NULL }

rsaEncryption OBJECT IDENTIFIER ::= {iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-1(1) rsaEncryption(1)}
 
  

There two differences:
1. different OID.
    ITU-T defines it as "2.5.8.1.1", while PKIX WG defines it as "1.2.840.113549.1.1.1"

2. different algorithm parameters
    ITU-T defines a parameter for RSA, "KeySize", while PKIX WG defines it as null.

Indeed, the RSA encryption algorithm PKIX WG used is defined by PKCS#1 [3][4], it is the industry standard definition. Most of the world use PKCS#1 OID, but not the one of ITU-T. Because of the above differences, there is a risk of interoperability problems between ITU-T X.509 compliant implementations and PKIX compliant implementations.

Before JDK 7, Sun certificate implementation cannot recognize the ITU-T X.509 OID, "2.5.8.1.1", throws a java.security.InvalidKeyException instead. It would be get fixed at OpenJDK 7 M4. If you happened to have such similar interoperability problem, I'd appreciate it if you comment it here or mail me your problems.

Linkage to the blog entry at simsbc.blogspot.com

[1] http://www.itu.int/ITU-T/asn1/database/itu-t/x/x509/2008/AlgorithmObjectIdentifiers.html#AlgorithmObjectIdentifiers.rsa
[2] http://www.ietf.org/rfc/rfc2459.txt
[3] http://www.rsa.com/rsalabs/node.asp?id=2125
[4] http://www.ietf.org/rfc/rfc2459.txt

Comments:

n

Posted by guest on June 09, 2010 at 12:33 PM GMT+08:00 #

please save the world by using it or learn me..............................

Posted by pawan on July 03, 2010 at 10:30 AM GMT+08:00 #

Post a Comment:
  • HTML Syntax: NOT allowed
About

A blog on security and networking

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today