What is the PKCS#1 v1.5 padding schema used in OpenSSL "rsautl" command?

PKCS#1 v1.5 padding schema is a padding standard specified in RFC2313 "PKCS #1: RSA Encryption, Version 1.5" proposed by RSA Laboratories in 1998.

PKCS#1 v1.5 padding schema is designed to pad input data to a full encryption block of the same size as the RSA key. The main purpose of PKCS#1 v1.5 padding schema is to improve security level of the RSA algorithm.

PKCS#1 v1.5 padding schema can be summarized as below:

Symbols and abbreviations:
   D    Data (input data to be encrypted)
  BT    Block Type: 0x01 or 0x02
  EB    Encryption Block
   k    Size (in bytes) of the RSA key
  PS    Padding String of non-0x00 bytes
  ||    Binary concatenation operation
  
PKCS#1 v1.5 padding schema:
  EB = 0x00 || BT || PS || 0x00 || D

Requirements of PKCS#1 v1.5 padding schema:

• The first 0x00 byte of the padding is needed to ensure the integer value of the result EB (Encryption Block) is smaller than the modulus of the RSA key.
• The last 0x00 byte of the padding is used as a delimiter to separate the padding from the actual data to be encrypted.
• BT will be 0x02, if encryption uses the RSA public key.
• BT will be 0x01, if encryption uses the RSA private key.
• Size of EB must be equal to k, the size of the RSA key. In other words: sizeOf(PS) = k - 3 - sizeOf(D).
• If BT is 0x02, sizeOf(PS) >= 8 for security purpose.
• If BT is 0x02, PS must be generated randomly per encryption for security purpose.

For example, if you want to use 1024-bit (128-byte) RSA public key to encrypt some input data with PKCS#1 v1.5 padding, a minimum of 11 bytes will be padded in front of the data. So the maximum size of input data is 128 - 11 = 117 bytes.

For more information on PKCS#1 v1.5 padding schema, read RFC2313.

⇒ OpenSSL "rsautl -pkcs" - PKCS#1 v1.5 Padding Option

⇐ OpenSSL "rsautl" - Decrypt Large File with RSA Key

⇑ OpenSSL "rsautl" Command for RSA Keys

⇑⇑ OpenSSL Tutorials