What Is BER (Basic Encoding Rules)

PKI Certificate Tutorials - Herong's Tutorial Examples

∟What Is BER (Basic Encoding Rules)

This section introduces the BER (Basic Encoding Rules) defined in the ASN.1 standard. It uses the TLV (Tag-Length-Value) format to encode a value of a given data type.

What Is BER (Basic Encoding Rules)? BER is a set of encoding/decoding rules provided in the ANS.1 standard that allows you to serialize instance values of ASN.1 data types into byte sequences to transmit them to other systems, or save them to files.

BER uses the TLV (Tag-Length-Value) format to encode a value of a given data type. Each section in TLV format is described below:

Tag - The Tag encoding section uses one or more bytes to encode information about the data type.
Length - The Length encoding section uses one or more bytes to encode the number of bytes in the Value encoding section.
Value - The Value encoding section uses aero or more bytes to encode the data value.

Tag Encoding Section - The Tag section encodes 3 pieces of information about the data type, Class, Complexity and Tag:

Type Class - ANS.1 specifies 4 type classes and associated integer IDs: UNIVERSAL (0), APPLICATION (1), CONTEXT-SPECIFIC (2), and PRIVATE (3). UNIVERSAL is used as the default type class. APPLICATION, CONTEXT-SPECIFIC, and PRIVATE are used options to override the default class.
Type Complexity - ASN.1 specifies 2 type complexities and associated integer IDs: PRIMITIVE (0) for primitive types and CONSTRUCTED (1) for constructed types.
Type Tag - ASN.1 assignes a unique integer tag to each data type. The type tag, instead of the type name, is used in the encode to reduce output size. Here are some examples: 1 for BOOLEAN, 2 for INTEGER, 9 for REAL, 16 for SEQUENCE, etc.

Here are the main BER encoding rules for the Tag section:

1. The first 2 bits of the first byte is used to encoding the data type class:

00...... - For UNIVERSAL
01...... - For APPLICATION
10...... - For CONTEXT-SPECIFIC
11...... - For PRIVATE

2. The third bit of the first byte is used to encoding the data type complexity:

..0..... - For PRIMITIVE
..1..... - For CONSTRUCTED

3. If the data type tag is <= 30, it will be encoded in the remaining 5 bits of the first byte. For example:

...00001 - For BOOLEAN (1)
...00010 - For INTEGER (2)
...00110 - For OBJECT IDENTIFIER (6)
...01011 - For UTF8String (11)
...10000 - For SEQUENCE (16)

4. If the data type tag is >= 31 and <= 127, it will be encoded in the last 7 bits of the second byte. The remaining 5 bits of the first byte are set to 1, and the first bit of the second byte is set to 0. For example:

...11111 00100010 - For DURATION (34)

5. If the data type tag is >= 128, more bytes will be added. The first bit of additional bytes is set to 1, except the last byte, which has 0 in the first bit to end the Tag section of the encoding. For example:

...11111 1....... 0....... - 14 bits to encode the type tag

For commonly used types in UNIVERSAL class, only one byte is needed for the tag encoding section as shown below:

Tag Byte          Type Tag   Type Name
---------------   --------   ---------
00000001 (0x01)          1   BOOLEAN
00000010 (0x02)          2   INTEGER
00000011 (0x03)          3   BIT STRING
00000100 (0x04)          4   OCTET STRING
00000101 (0x05)          5   NULL
00000110 (0x06)          6   OBJECT IDENTIFIER
00001001 (0x09)          9   REAL
00001010 (0x0a)         10   ENUMERATED
00001011 (0x0b)         11   UTF8String
00001110 (0x0e)         14   TIME
00110000 (0x30)         16   SEQUENCE
00110001 (0x31)         17   SET
00010011 (0x13)         19   PrintableString
00010110 (0x16)         22   IA5String

Length Encoding Section - The Length section uses one or more bytes to encode the number of bytes in the Value encoding section.

Here are the main BER encoding rules for the Length section:

1. If the length <= 127, it can be encoded in the short form or the long form.

2. If the length >= 128, it will be encoded in the long form.

In the short form, the length is encoded in the last 7 bits of the first byte. The first bit of first byte is set to 0. For example:

00100010 - For length of 34 bytes in the Value encoding section.

In the long form, the length is encoded in additional bytes. The number of addtional bytes will be encoded in the last 7 bits of the first byte. The first bit of the first byte is set to 1. For example:

10000010 ........ ........ - 16 bits to encode the value length

Value Encoding Section - The Value section uses zero or more bytes to encode the data value.

Rules to encode values are different for different date types. Some examples are list below:

BOOLEAN - Encoded in 1 byte as non-0x00 for TRUE or 0x00 for FALSE.
INTEGER - Encoded in 2's complement binary format in multiple bytes.
NULL - Encoded 0 byte.
OCTET STRING - Encoded in the primitive form or the constructed form. In the primitive form, the byte string is placed in the Value section as is with no changes. In the constructed form, the byte string is divided into multiple chunks, which are encoded as OCTET STRING members to a form constructed value.
SEQUENCE - Encoded by concatenating encoded outputs of all members in the sequence in the same order as they are defined in the member list.
SET - Encoded by concatenating encoded outputs of all members in the set in any order.
CHOICE - Encoded by taking the encoding of the selected member.

Conclusion: DER only encode data values and their type class, complexity and tag. It does not encode type names and memeber IDs in constructed values. The next tutorials for encoding examples.