手动实现RSA java。填补想法 [英] Manual implementation RSA java. Padding ideas

问题描述

我正在java上手动实现RSA（是的，我知道不是最好的想法，但它是为了大学目的）。我的算法在小文本中工作得很好，但是当大文本被考虑时，算法会随着比我的密钥优于比特数而中断。

我正在研究实现填充方案的可能性，以将我的纯文本分解成小文本，然后对其进行加密。

有没有关于如何填充的建议？

提前感谢

解决方案

我很抱歉，我正在撰写一个答案，其中包含与divanov的答案基本相同的信息，但是添加所有我认为重要的小细节的编辑将是一个完整的重写的答案。

通常你不想直接对数据进行不对称加密，而是使用RSA交换用于对称加密数据的对称密钥。您可以这样做（来自Ferguson，Kohno和Schneier的加密工程的想法，一本可以全心全意推荐的书）：

1. 假设 l 是您的模数的位长度 n ，生成 l-1 位长随机数 r 。使用RSA公钥加密 r


2. 使用加密散列函数生成对称密钥 k 出 r 。我建议使用sha256： k = sha256（r）


3. 使用适当的AES256加密块密码加密数据模式，如 CBC 。

此过程的优点是您根本无需关心RSA paddings（并且有很多可能会出错的东西）。请不要在解密之后检查 r 的结构，只要填入哈希函数，否则可能会打开自己超出范围的填充oracle攻击（类似于这一个）我的答案虽然如此。

请注意，对于真实世界的场景，您必须关心真实性的数据也是。加密最为充足的唯一常见用例是静止数据，即如果没有数据通过网络传输，您只关心数据的物理窃取。

I am implementing RSA manually on java (yes i know not the best idea but it is for university purposes). My algorithm is working good enough with small texts but when big texts come into consideration the algorithm breaks as the number of bits is superior than my key.

I am looking into the possibility to implement a padding scheme in order to fragment my plain text into small ones and then encrypt them.

Is there any suggestion on how to the padding?

Thanks in advance.

解决方案

I'm sorry that I'm writing an answer that contains basically the same information as divanov's answer, but an edit to add all the little details that I think are important would be a complete rewrite of the answer.

Generally you don't want to asymmetrically encrypt your data directly, but instead use RSA to exchange a symmetric key that is used to encrypt your data symmetrically. You can do it like this (idea taken from "Cryptography Engineering" by Ferguson, Kohno and Schneier, a book I can wholeheartedly recommend):

1. Assuming that l is the bit length of your modulus n, generate an l-1 bit long random number r. Encrypt r with the RSA public key.
2. Use a cryptographic hash function to generate the symmetric key k out of r. I would advise the use of sha256: k=sha256(r)
3. Encrypt you data with a block cipher like AES256 using a proper "mode" like CBC.

The advantage of this procedure is that you do not have to care about RSA paddings at all (and there is a lot of stuff that can go wrong with them). Please don't check the structure of r after decrypting, though, and just stuff if into the hash function as you otherwise might open yourself up to padding oracle attacks (akin to this one) that are beyond the scope of my answer though.

Note that for a real world scenario you have to care about authenticity of the data, too. The only common use case where encryption is mostly enough is "data at rest", i.e. if no data is transmitted over the network and you only care about physical theft of your data.

这篇关于手动实现RSA java。填补想法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！