1024位RSA密钥对的DER编码RSAPublicKey(PKCS#1)的长度是否一致? [英] Is the length of a DER-encoded RSAPublicKey (PKCS #1) for a 1024-bit RSA key pair consistent?
问题描述
我已经使用openssl命令创建了多个1024位DER编码的RSAPublicKeys(PKCS#1):
openssl genrsa 1024 | openssl rsa -outform DER -RSAPublicKey_out -out pubkey.der
到目前为止,像这样创建的每个公钥文件都恰好是140个字节.以这种格式编码的1024位RSA公钥是否总是140字节,或者这个大小可以变化吗?
对于1024位密钥,使用指数值F4(0x010001),应始终为140字节.
公钥的编码为
SEQUENCE (RSAPublicKey)
30 xa [ya [za ...]]
INTEGER (n)
02 xb [yb [zb ...]] [pb] ...
INTEGER (e)
02 xc [yc [zc ...]] [pc] ...
其中pb和pc是可选的填充字节(以防止整数为负),而xa-xc(和y/za-c)值是BER长度.
如果e为0x010001,则其编码为02 03 01 00 01,始终为5个字节.
RSA密钥的密钥大小由从第一个设置位开始的位串的长度确定.因此,对于1024位密钥,该值将介于2 ^ 1023和2 ^ 1024之间,并且看起来像
0b1xxx_xxxx {1016 other "don't care" bits}
由于设置了高位,所以该数字将为负数而不进行填充,因此1024位数字将被编码为128个值字节,而符号位未设置"的一个前导字节即129个字节. /p>
因此,我们现在知道整数的完整编码长度129.即十六进制的0x81,大于0x79(最大的紧凑" BER长度),因此该长度以长格式写入:0x81(表示长度)在接下来的1个字节中)0x81.
02 81 81 00 [128 more bytes representing n]
所以e编码为5个字节,而n编码为132(128 + 1 + 2 + 1),即137.
137为0x89,使序列长度为0x81 0x89.内容的137个字节+长度的2个字节+标签的1个字节=> 140个字节.
30 81 89
02 81 81 00 [128 more bytes of n]
02 03 01 00 01
此计算假定没有人对密钥大小的定义感到不满.宽松的解释(根据 http://nvlpubs.nist .gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf 是错误的)会将n的值放在2 ^ 1016和2 ^ 1024之间(也就是它需要128个字节,谁在乎哪个位是最高的一组?").在这种情况下,填充字节可能会从n中消失,长度会降至139.
I've created multiple 1024-bit DER-encoded RSAPublicKeys (PKCS #1) with the openssl command:
openssl genrsa 1024 | openssl rsa -outform DER -RSAPublicKey_out -out pubkey.der
So far, every public key file created like this has been exactly 140 bytes. Are 1024-bit RSA public keys encoded in this format always 140 bytes, or can this size vary?
I've learned that the size of a DER encoded private key can vary.
It should always be 140 bytes for a 1024-bit key using an exponent value of F4 (0x010001).
The encoding of the public key is
SEQUENCE (RSAPublicKey)
30 xa [ya [za ...]]
INTEGER (n)
02 xb [yb [zb ...]] [pb] ...
INTEGER (e)
02 xc [yc [zc ...]] [pc] ...
Where pb and pc are optional padding bytes (to prevent the integers from being negative), and the xa-xc (and y/za-c) values are BER lengths.
If e is 0x010001 then it encodes as 02 03 01 00 01, always 5 bytes.
The keysize of an RSA key is determined by the length of the bit string starting with the first set bit. So for a 1024-bit key the value will be between 2^1023 and 2^1024, and that it will look like
0b1xxx_xxxx {1016 other "don't care" bits}
Since the high bit is set, the number would be negative without padding, so the 1024-bit number gets encoded to 128 value bytes and one leading byte of "the sign bit isn't set", or 129 bytes.
So now we know the integer's full encoded length, 129. That's 0x81 in hex, which is bigger than 0x79 (the biggest "compact" BER length), so the length gets written in long form: 0x81 (the length is expressed in the next 1 byte(s)) 0x81.
02 81 81 00 [128 more bytes representing n]
So e encoded to 5 bytes, and n encodes to 132 (128 + 1 + 2 + 1), which is 137.
137 in hex is 0x89, making the sequence length be 0x81 0x89. 137 bytes of content + 2 bytes of length + 1 byte of tag => 140 bytes.
30 81 89
02 81 81 00 [128 more bytes of n]
02 03 01 00 01
This computation assumes that no one is being bad with their definition of the key size. A loose interpretation (which, per http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1.pdf is wrong) would put the value of n between 2^1016 and 2^1024 (aka "it required 128 bytes, who cares which bit is the highest one set?"). In that case the padding byte could disappear from n and the length would drop to 139.
这篇关于1024位RSA密钥对的DER编码RSAPublicKey(PKCS#1)的长度是否一致?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
