RSASSA-PSS Signature Algorithm

System Firmware supports various signature algorithms for services that involve certificates. One of the supported algorithm is RSAPSS.

Introduction

RSASSA-PSS is a signature algorithm that uses a secure padding scheme for creating digital algorithm with RSA algorithm. PSS is meant to replace RSA-PKCS#1 V1.5.

  • Unlike RSASSA-PKCS_v1_5, RSASSA-PSS signature algorithm is probabilistic in nature. Since PSS uses a random salt every time, the same message and key will not produce identical signature value every time.
  • RSASSA-PSS scheme unlike RSASSA-PKCS-v1_5 is not complete by itself. A PSS signature has separate parameters which need to be provided at the time of signature verification. The message digest is not recoverable from the signature. Again this is unlike RSASSA-PKCS-v1_5 algorithm.
  • PSS has a security proof. It is more robust than its predecessor - RSASSA-PKCS-v1_5.

RSASSA-PSS parameters

  • Hash algorithm: Algorithm used for message hashing. Minimum recommended hashing algorithm is SHA-256.
  • Mask Generation Function: Function used during operations. Currently there is just one MGF namely MGF1.
  • Mask Generation Function Hash: Another hashing algorithm used by the Mask Generation Function. This can be different from the message hashing algorithm.
  • Salt Length: Length of random salt used during the operations.
  • Trailer Field: This is used in encoding operation. The default is byte 0xbc.

Keys

One can use following types of keys for creating RSASSA-PSS signatures:

  • PKCS#1: regular RSA keys.
  • PKCS#8: The RSA keys with additional information related to the signature algorithm.

System Firmware Support

System Firmware Supports RSASSA-PSS signature algorithm generated using both types of keys described above:

  • PKCS#1 - regular RSA key.
  • PKCS#8 - RSA key along with additional information related to the signature algorithm.

The message hashing algorithm comes from X.509 certificate, specifically from the signature algorithm information structure in the certificate.

The MGF function is also obtained from the X.509 certificate. Since currently the standard supports just one MGF function i.e. MGF1, system firmware ensures that the MGF value matches MGF1.

Currently, system firmware expects the MGF hash algorithm to be the same as the message hashing algorithm.

Salt length is also extracted from the X.509 certificate. If this field is not present in the certificate (since it is optional), system firmware uses salt length 20.

System firmware currently supports just the default trailer field value i.e. 0xbc.

The key length is determined from the rsa public key in the X.509 certificate.