RSAES-OAEP
An RSA key-transport algorithm with probabilistic padding, a safe alternative to PKCS#1 v1.5.
Definition
RSAES-OAEP encrypts the CEK under the recipient's RSA public key with randomized padding (OAEP), making it resistant to Bleichenbacher-style attacks that target the older RSAES-PKCS1-v1_5 padding. In CMS it requires the use of KeyTransRecipientInfo and is identified by the id-RSAES-OAEP OID.
Origin
Its use in CMS is defined by RFC 3560 (IETF S/MIME WG); the scheme itself is specified in PKCS #1 v2.2, published as RFC 8017 by the IETF.
Example in context
keyEncryptionAlgorithm = id-RSAES-OAEP (1.2.840.113549.1.1.7); encryptedKey = RSAES-OAEP-Encrypt(pubKey, CEK).
Related terms
- Content-Encryption Key — the key RSAES-OAEP wraps.
- X.509 — the certificate carrying the recipient's RSA public key.