RSA signature and encryption schemes: RSA-PSS and RSA-OAEP

<aside> 📘 TL;DR; 基于 RSA 的签名与加密算法实现

算法	PKCS-v15	PSS	OAEP
可用于签名 SSA	✅	✅	❌
可用于加密 ES	✅	❌	✅
确定性	✅	❌	❌
self contained	✅	❌	❌

虽然 PKCS 更久经考验。但是目前新项目更多推荐使用 PSS 和 OAEP。

注：确定性指的是，每次给予相同的输入，都会产生相同的输出。

注：self contained 是指，产生的结果中已包含了解密/验签所需的全部信息。

</aside>

There are two RSA signature schemes specified in [PKCS1]: RSASSA-PKCS1-v1_5 and RSASSA-PSS (RSASSA = RSA Signature Scheme with Appendix). RSASSA-PSS is a probabilistic signature scheme (PSS) with appendix. A signature scheme with appendix requires the message itself to verify the signature (i.e. the message is not recoverable from the signature).

There are also two RSA encryption schemes: RSAES-PKCS-v1_5 and RSAES-OAEP (Optimal Asymmetric Encryption Padding). Both use random seeds (and so produce a different ciphertext value each time), but RSA-OAEP is more robust and is the recommended alternative.

How much safer is RSA-OAEP compared to RSA with PKCS#1 v1.5 padding?

The PKCS-V1_5 schemes are "self contained": the signature values and ciphertext values contain all the information needed to verify or decipher. In contrast, both the RSA-PSS and RSA-OAEP schemes require parameters which need to be provided separately. Both require a hash function to be specified and both use a mask generation function (MGF). There is currently only one MGF specified, called MGF1. This in turn uses a hash function (the "MGF hash function") which may be different from the scheme hash function. More details below.

Incidentally, the terms "function" and "algorithm" are used interchangeably here. The term "algorithm" was used in the early PKCS#1 specifications (and is reflected in the ASN.1 type names), and "function" is used in the more recent ones.

Differences between signature schemes RSASSA-PKCS-v1_5 and RSASSA-PSS

The signature schemes RSASSA-PKCS-v1_5 ("PKCSV1_5") and RSASSA-PSS ("PSS") have differences.

PKCSV1_5 is deterministic. The same message and key will produce an identical signature value each time. PSS is randomized and will produce a different signature value each time (unless you use a zero-length salt).
A PKCSV1_5 signature is complete in itself. Once decrypted using the private key, you can detect the hash function used to create it and extract the message digest value. A PSS signature has separate parameters (see below) which need to be known prior to verifying a signature. These are included in X.509 certificates and CMS signed-data objects, but need to be communicated separately for an isolated signature value.
You can extract the message digest value from a PKCSV1_5 signature. You cannot extract it from a PSS signature; you can only verify against a known digest value.
PSS has a security proof and is more robust in theory than PKCSV1_5. Nevertheless PKCSV1_5 has no known security weaknesses at this time.
PSS had patent issues until recently (the last one expired in 2010) and is less widely adopted. PKCSV1_5 has been widely used since the 1990s.

RSASSA-PSS parameters

hash algorithm/function. The default is SHA-1 [minimum recommended SHA-256].
mask generation function (MGF). Currently always MGF1.
salt length. The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes. A salt length of zero is permitted and will result in a deterministic signature value. The actual salt length used can be determined from the signature value.
trailer field, used in the encoding operation. The default trailer field is the byte 0xbc. This is the only option available in this Toolkit.