Eliminate blind spots in your SSL/TLS encrypted traffic.

Click Here

    Overview of RSASSA-PSS

    5 Jan 2022

    Overview of RSASSA-PSS

    Read time: 10 minutes

    Rivest Shamir Adleman (RSA) is an asymmetric algorithm which can be used for encrypting and signing data. The encryption and signing processes are performed through a series of modular multiplications. The security of the RSA algorithm can be increased by using longer key lengths, such as 1,024 bits or more—the longer the key length, however, the slower the encryption or signing process. It is one of the most popular and secure public-key encryption method. There are two different RSA signature schemes specified in the PKCS1
    • RSASSA-PKCS1-v1_5: old Signature Scheme with Appendix as first standardized in version 1.5 of PKCS #1.
    • RSASSA-PSS (RSASSA = RSA Signature Scheme with Appendix): based on Probabilistic Signature Scheme (PSS) originally invented by Bellare and Rogaway.

    Difference between RSASSA-PKCS1-v1_5 and RSASSA-PSS:

    PKCSV1_5 is deterministic It is randomized thereby producing a different value of signature each time
    Message digest value can be extracted from a PKCSV1_5 signature It cannot be extracted from a PSS signature but can only be verified against a known message digest value
    Less secure and robust PSS has a security proof and is more robust than PKCSV1_5
    It’s an old scheme It’s an old scheme It’s a new scheme
    It is recommended for compatibility with existing signature application It is recommended for compatibility with existing signature application It is recommended for eventual adoption in new signature applications as it does not contain certain critic points of the older standard

    Attacks on old signature schemes

    1. The Bleichenbacher attack

      In 1998, Daniel Bleichenbacher found out that the messages returned by SSL servers for errors in Public-Key Cryptography Standards (PKCS) #1 version 1.5 padding enabled an adaptive-chosen ciphertext attack, in which an attacker sends a series of ciphertexts to be decrypted, and then uses the results of these decryptions to select subsequent ciphertexts. This allowed an attacker to perform RSA decryption and signing operations using the private key of a TLS server, completely breaking the confidentiality of TLS when used with RSA encryption.

    2. Fault-based attack

      In 1996, Dan Boneh and others presented an attack on RSA doing faulty calculations. By injecting random faults into the calculations of RSA, they were able to regenerate the private key from the knowledge of the faulty signatures. RSA implementations using the Chinese remainder theorem to speed up calculations are especially vulnerable – a single erroneous signature allows the regeneration of the private key.

      Protection against fault-based attacks like this is especially important in embedded devices like chip cards that are built not to expose the private key, but to provide cryptographic operations like signatures in an environment potentially under control of an attacker. But in further studies, it has been established that PSS is not vulnerable against these fault-based attacks.


    RSASSA-PSS is an improved probabilistic signature scheme with appendix. This means that a private RSA key can be used to sign the data in combination with random input. The other side of the communication can then verify the signature using the corresponding public RSA key. This signature scheme uses random data, so two signatures with the same input are different and both can be used to validate the original data.

    RSASSA-PSS Parameters

    1. Hash Algorithm/Function

      Hash functions are used in encryption schemes, signature schemes with appendix and various encoding methods. Hash functions are deterministic, meaning that the output is completely determined by the input. Hash functions take input strings of variable length and generate fixed length output strings.

    2. Mask Generation functions

      A mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. Mask generation functions (MGF) are deterministic in nature. The output of a mask generation function should be pseudorandom, that is, if the seed to the function is unknown, it should be infeasible to distinguish the output from a truly random string.

      The provable security of RSAES-OAEP and RSASSA-PSS rely on the random nature of the output of the mask generation function, which in turn relies on the random nature of the underlying hash.

    3. Salt length

      It is the salt value associated with the signature operation. The field is intended to facilitate single-pass processing. If the field is omitted, the salt value shall be obtained from the signature. The salt value enhances the security of the scheme by affording a “tighter” security proof than deterministic alternatives such as Full Domain Hashing (FDH)

    4. Trailer field

      It is used in the encoding operation and is an integer. The value MUST be 1, which represents the trailer field with hexadecimal value 0xBC.

    Default Parameters


    Default value is SHA1, however SHA-256 is recommended


    MGF1 needs to be used. mgf1SHA1 (the function MGF1 with SHA-1)


    The default value is 20 but the convention is to use hLen, the length of the output of the hash function in bytes.


    trailerFieldBC (the byte 0xbc)

    It is recommended that the MGF hash function be similar to that of scheme hash algorithm/function, and that the salt length be hLen which is the length of the output of the hash function.


    RSASSA-PSS is an improved signature scheme which contains an attachment. It uses an RSA private key to sign the data and thereafter, the recipient can verify this signature using the public RSA key. It has various parameters and is more secure and robust as compared to others.

    Want to learn from HSM Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your HSM training

    Free Downloads for Encryption consulting Advisory