A key encapsulation mechanism (KEM) can be used to construct a “hybrid” cryptosystems. In these cryptosystems symmetric keys (e.g. for AES) are encrypted using asymmetric keys. The symmetric key is used for encrypting data.
A naive KEM built using RSA primitives could use “textbook” RSA to encrypt a randomly generated symmetric key but this has some significant flaws:

If
e
is small (e.g.e
=3), the symmetric key may not be reduced by the modulus after exponentiation. This means the “encrypted” key would be trivially decrypted by taking thee
throot of the ciphertext. 
Unpadded RSA ciphertexts can be manipulated in predicatable ways. The paper “When Textbook RSA is Used to Protect the Privacy of Hundreds of Millions of Users” describes a fantastic attack on an unpadded RSAbased KEM where captured encrypted keys were decrypted by replaying ciphertexts with clever bitshifts.
These issues could be alleviated by using a secure padding scheme like OAEP. However, there is a secure KEM that is just about as simple as the textbook KEM called RSAKEM.
RSAKEM works by generating a random integer r
in (0, N1)
(where N
is
the modulus of the key) and encrypting/encapsulating r
. The symmetric key is
then derived by throwing r
into a key derivation function (KDF).
As I understand it, OAEP is emulating a construction like RSAKEM in that it
attempts to converts a message into a r
like value. The extra complexity that
OAEP introduces is to handle messages that are not necessarily evenly
distributed in (0, N1)
and the padding step needs to be reversible.