如何为RSA(轻量级API)正确使用Bouncy Castle的OAEPEncoding [英] How to properly use Bouncy Castle's OAEPEncoding for RSA (Lightweight API)
问题描述
我一直在研究Bouncy Castle的RSA(轻量级API)实现,并弄清楚了基础知识。查看针对JCE提供程序实现的规范,我注意到RSA可以使用不同的填充方案。据我了解,默认情况下使用空填充。因此,我开始研究OAEP填充,尤其是 OAEPWithSHA512AndMGF1Padding 。用Google搜索不是很有帮助,所以我开始仔细研究BC的源代码,发现 org.bouncycastle.jce.provider.JCERSACipher 类。但是看 initFromSpec 很快让我头疼...具体来说,我不明白可以传递给 OAEPEncoding的最后两个参数是什么的构造函数。根据卑诗省的API, OAEPEncoding 允许四个参数的构造函数接受摘要mgf1Hash 和 byte [] encodingParams 作为最后两个参数。这让我感到难过,因为我不知道如何获得掩码生成算法的实例,也不知道 encodingParams 字节数组背后的目的。在下面的代码中, arg3 和 arg4 的值应该是什么?
I've been playing around with Bouncy Castle's implementation of RSA (Lightweight API) and got the basics figured out. Looking at their spec for JCE provider implementation I noticed that different padding schemes can be used with RSA. From what I understand, by default null padding is used. So I began exploring OAEP padding, particularly OAEPWithSHA512AndMGF1Padding. Searching with Google wasn't very helpful so I began digging through BC's source code and found org.bouncycastle.jce.provider.JCERSACipher class. But looking at initFromSpec quickly gave me a headache... Specifically, I don't understand what the last two parameters that can be passed to the OAEPEncoding constructor are. According to BC's API the OAEPEncoding constructor that allows four parameters accepts Digest mgf1Hash and byte[] encodingParams as the last two arguments. This stumped me because I have no idea how to get a hold of an instance of the mask generation algorithm nor do I understand the purpose behind the byte array referred to as encodingParams. What should be the values of arg3 and arg4 in the code below?
RSABlindedEngine rsa = new RSABlindedEngine();
SHA512Diges sha512 = new SHA512Digest();
Digest arg3 = ???;
byte[] arg4 = ???;
AsymmetricBlockCipher cipher = new OAEPEncoding(rsa, sha512, arg3, arg4);
推荐答案
OAEP由 PKCS#1,第7.1节。
OAEP需要以下参数:
OAEP requires the following parameters:
- 哈希函数;
- 掩码生成函数被认为是具有无限输出长度的哈希函数;
- 一个标签(任意字节序列)。
只有一个已定义的掩码生成函数,称为MGF1,该函数基于哈希函数构建。因此,您的 arg3 是MGF1将使用的哈希函数。它可能是与第一个哈希函数相同的哈希函数(我不确定在Bouncy Castle API中它可能是相同的 Digest 实例;我在这里在数学上进行讨论)。
There is only one defined mask generation function, called MGF1, and that function is built over a hash function. So your arg3 is the hash function which MGF1 will use. It may be the same hash function than the first one (I am not sure it may be the same Digest instance in the Bouncy Castle API; I am talking mathematically here). It may also be another hash function.
标签可以用作实例之间的一种区分符(例如,您可以使用编码为标签)。在某些数学证明中它很方便,但是现在PKCS#1建议使用空字符串并使用它。出于PKCS#1中所述的目的,空标签与任何标签一样好。
The label can be used as a kind of distinguishers between instances (e.g. you could encrypt data with an explicit "purpose" encoded in the label). It is handy in some mathematical proofs, but right now PKCS#1 recommends using an empty string and be done with it. For the purposes described in PKCS#1, an empty label is as good as any.
解密过程必须知道要操作的参数。通常将它们编码为带有加密消息的结构,并说此消息已使用RSA / OAEP加密。这就是 CMS 中发生的情况。
The decryption process must know those parameters to operate. It is customary to encode them in the structure which comes along with the encrypted message and says "this is encrypted with RSA/OAEP"; that's how it happens in CMS.
有疑问时,对MGF1使用与第一个参数相同的哈希函数,并使用空标签。
When in doubt, use the same hash function as first parameter and for MGF1, and use an empty label.
这篇关于如何为RSA(轻量级API)正确使用Bouncy Castle的OAEPEncoding的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
