打破了RSA / ECB / OAEPWITHSHA-256ANDMGF1PADDING [英] breaking down RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING

问题描述

所以Java有一个叫做 RSA / ECB / OAEPWITHSHA-256ANDMGF1PADDING 的模式。这是什么意思？

So Java has a mode called RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING. What does that even mean?

RFC3447 ，公钥密码术标准（PKCS）＃1：RSA加密规范版本2.1 部分 7.1.2解密操作表示Hash和MGF RSAES-OAEP-DECRYPT的两个选项。 MGF是它自己的函数，定义在B.2.1 MGF1 部分，也有自己的Hash选项。

RFC3447, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1, section 7.1.2 Decryption operation says Hash and MGF are both options for RSAES-OAEP-DECRYPT. MGF is it's own function, defined in Section B.2.1 MGF1 and that has it's own Hash "option" as well.

也许哈希选项在RSAES-OAEP-DECRYPT和MGF1应该是相同的，也许他们不是，它是不清楚我。如果他们，那么我想当你有 RSA / ECB / OAEPWITHSHA-256ANDMGF1PADDING 这意味着应该同时使用sha256。但如果他们不应该是相同的，那么你可以有sha256用于RSAES-OAEP-DECRYPT，例如，sha1用于MGF1。如果是这样的情况下，那么什么功能是sha256应该用于？什么哈希算法应该用于其他函数？

Maybe the Hash "option" in RSAES-OAEP-DECRYPT and MGF1 are supposed to be the same or maybe they're not, it is unclear to me. If they are then I guess when you have RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING that means sha256 should be used for both. But if they're not supposed to be the same then you could have sha256 used for RSAES-OAEP-DECRYPT and, for example, sha1 used for MGF1. And if that's the case then what function is sha256 supposed to be used for? And what hash algorithm is supposed to be used for the other function?

ECB在这种情况下意味着什么？ ECB是对称分组密码模式。电子代码书。也许这应该意味着Java如何处理明文大于模数？像可能将明文分成与模数一样大的块，然后用RSA加密每个块，并将它们连接在一起？我只是猜测..

And what does ECB mean in this context? ECB is a symmetric block cipher mode. Electronic Code Book. Maybe it's supposed to mean how Java deals with plaintext's that are larger than the modulo? Like maybe splits the plaintext into chunks that are as big as the modulo and then encrypts each one with RSA and concatenates them together? I'm just guessing..

推荐答案

OAEP的默认值是使用SHA-1为MGF1。注意，选择的哈希值对OAEP的安全性没有太大的影响，所以大多数情况下会留给这个默认值。

The default for OAEP is to use SHA-1 for MGF1. Note that the hash chosen doesn't have that much impact on the security of OAEP, so mostly it will be left to this default.

我们可以通过测试它针对OAEPPadding和 OAEPParameterSpec ：

We can easily test this by testing it against "OAEPPadding" and OAEPParameterSpec:

// --- we need a key pair to test encryption/decryption
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024); // speedy generation, but not secure anymore
KeyPair kp = kpg.generateKeyPair();
RSAPublicKey pubkey = (RSAPublicKey) kp.getPublic();
RSAPrivateKey privkey = (RSAPrivateKey) kp.getPrivate();

// --- encrypt given algorithm string
Cipher oaepFromAlgo = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
oaepFromAlgo.init(Cipher.ENCRYPT_MODE, pubkey);
byte[] ct = oaepFromAlgo.doFinal("owlstead".getBytes(StandardCharsets.UTF_8));

// --- decrypt given OAEPParameterSpec
Cipher oaepFromInit = Cipher.getInstance("RSA/ECB/OAEPPadding");
OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT);
oaepFromInit.init(Cipher.DECRYPT_MODE, privkey, oaepParams);
byte[] pt = oaepFromInit.doFinal(ct);
System.out.println(new String(pt, StandardCharsets.UTF_8));

如果用SHA- 256作为参数。

需要扩展算法的原因是与其他 Cipher 算法。代码为RSA / ECB / PKCS1Padding不使用任何参数，更不用说OAEP参数。因此，没有较长的字符串OAEP不能作为替换掉。

The reason why the extended algorithm is needed at all is compatibility with other Cipher algorithms. Code written for e.g. "RSA/ECB/PKCS1Padding" doesn't use any parameters, let alone OAEP parameters. So without the longer string OAEP cannot function as drop in replacement.

操作模式 ECB在本上下文中不意味着任何东西，它应该是None或它应该被完全省略。您只能使用SunRSA提供程序的RSA实现来加密单个块。

The mode of operation "ECB" doesn't mean anything in this context, it should have been "None" or it should have been left out completely. You can only encrypt a single block using the RSA implementation of the SunRSA provider.

如果要加密更多数据，请创建随机（AES）对称密钥，使用OAEP。然后使用AES密钥加密您的特定数据。这被称为混合密码系统，因为它使用不对称和对称原语来加密数据。

If you want to encrypt more data, create a random (AES) symmetric key and encrypt that using OAEP. Then use the AES key to encrypt your specific data. This is called a hybrid cryptosystem as it uses both asymmetric and symmetric primitives to encrypt data.

这篇关于打破了RSA / ECB / OAEPWITHSHA-256ANDMGF1PADDING的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！