是RSA加密的结果保证是随机的 [英] Is the result of a RSA encryption guaranteed to be random

问题描述

我使用RSACryptoServiceProvider来加密一些小数据块。对于我正在开发的解决方案，重要的是，如果相同的源数据被相同的公钥加密两次，结果（加密的数据块）是不一样的。

我已经检查过这个例子，它的工作，我希望。我的问题是，如果这种行为是通过设计和保证，或者如果我必须添加一些随机部分到源数据，以保证具有相同的数据的数据块不能再匹配加密后。

下面是示例：

  byte [] data = new byte [] {1,7 ，8,3,4,5}; 
 RSACryptoServiceProvider encrypter = cert.PublicKey.Key as RSACryptoServiceProvider; 
 byte [] encryptedData = encrypter.Encrypt（data，true）; 
 
 // encryptedData总是有其他值，尽管源数据总是
 // 1,7,8,3,4,5，证书总是相同的（从磁盘）
  

具体问题是.net，但也许答案可以给出所有RSA

解决方案

文本RSA加密算法是确定性的：

  ciphertext = plaintext ^ encryption-exponent mod modulus 
  

（这里 ^ 是整数指数， mod 余数运算。）

但是正如你所说，这不能提供一个很好的安全保证，因为攻击者可以猜测明文可以简单地验证这个猜测，通过自己加密和比较结果。

$因为这个原因，官方RSA规范（以及实践中使用的所有实现）包括一些（部分随机）填充，所以我们实际上不加密明文， pad（plaintext）：

  ciphertext = pad（plaintext）^ encryption-exponent mod modulus 
  

解密：

  plaintext = unpad（ciphertext ^ decrypt-exponent mod modulus）
  

只有使用此填充，RSA实际上是一种安全的加密方案。

类似的填充也用于RSA签名，以避免容易伪造签名。

I use RSACryptoServiceProvider to encrypt some small blocks of data. For the solution I'm working on, it's important that if the same piece of source data is encrypted twice with the same public key, the result (the encrypted block of data) is not the same.

I have checked this with an example and it worked like I hoped. My question is now, if this behaviour is by design and guaranteed or if I have to add some random part to the source data for guaranteeing that data blocks with the same data can not be matched anymore after encryption.

Here is the example:

byte[] data=new byte[]{1,7,8,3,4,5};
RSACryptoServiceProvider encrypter = cert.PublicKey.Key as RSACryptoServiceProvider;
byte[] encryptedData = encrypter.Encrypt(data,true);

// encryptedData has always other values in, although the source data is always
// 1,7,8,3,4,5 and the certificate is always the same (loaded from disk)

The concrete question is for .net but maybe the answer can be given in general for all RSA-implementations if it is by design?

解决方案

The text-book RSA encryption algorithm is deterministic:

ciphertext = plaintext ^ encryption-exponent  mod  modulus

(Here ^ is integer exponentiation, mod the remainder operation.)

But as you remarked, this does not provide a good security guarantee, as an attacker which can guess the plaintext can simply verify this guess by encrypting it himself and comparing the results.

For this reason, the official RSA specifications (and also all implementations used in practice) include some (partly random) padding, so we don't actually encrypt plaintext, but pad(plaintext):

ciphertext = pad(plaintext) ^ encryption-exponent  mod  modulus

Decryption:

plaintext = unpad( ciphertext ^ decryption-exponent mod modulus )

Only with this padding RSA is actually a secure encryption scheme.

A similar padding is also used for RSA signatures, to avoid easy forging of signatures.

这篇关于是RSA加密的结果保证是随机的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！