Dear Wolfgang --
Thanks for your attention to detail.
1. The 16 octets md2-output are ASN.1-encoded as OCTET STRING. The resulting
18 octets are subject to the RSAEncryption process for MIC encryption,
described in para. 4.2.1.
2. The RSAEncryption process of 4.2.1 requires to produce the ASN.1 code of
SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
In para. 4.2.1 the octets of digest are referred to as MIC. This means
obviously that the 18 octets resulting from 1. are again ASN.1-encoded
as OCTET STRING as part of the SEQUENCE.
Is that correct? It sounds a bit odd to me.
ASN.1 encoding as an OCTET STRING is done only once. The 18 octets
resulting from 1. are the same as the encoding of the digest field in
2. There is no re-encoding. This is how RSA Data Security's Public
Key Cryptography Standards (PKCS) #1 does it, and RFC 1423 is based on
PKCS #1.
The reason for the discussion of X.509 ambiguity is that ``purists''
may argue that the ASN.1 encoding of the OCTET STRING must be input to
an asymmetric algorithm, and the result must be a BIT STRING. PKCS #1
and RFC 1423 are consistent with this definition, if one defines the
asymmetric algorithm to prepend the OCTET STRING encoding with the
other DigestInfo fields and further padding before raising to a power.
-- Burt Kaliski
RSA Laboratories