RSA有多安全? [英] How safe and secure is RSA?
问题描述
我正在使用RSA进行加密和解密。我听说它容易受到攻击。是吗?使用它的安全性如何?
对RSA的通常攻击涉及分解大量数据,这是两个非常大的乘积质数。这样做的基本思路是,找到质数很容易,将它们相乘得到一个大数也很容易,但是如果仅从那个大数开始,查找因素就很简单了。
当他们是一家独立公司RSA Data Security Inc.时,就面临着保理方面的挑战。 IIRC,最后几个奖项是由RSA DSI本身的团队获得的。这些是使用通用编号字段筛(GNFS)完成的。典型的实现方式是使用大量的工作站几个月来建立要素库。然后(最困难的部分)将其提供给具有 gargantuan 数量的RAM(以TB为起点的RAM)的单台计算机,并耗费数周的时间来获取因素。
关键是要指出,对RSA的最常见攻击具有非常的高初始成本(即,获得像Cray超级计算机之类的东西)来甚至开始。但是,老实说,我不相信目前有任何机器可以容纳足够的RAM甚至可以发起对1024位RSA密钥之类的攻击(更不用说一些2048甚至4096位密钥的偏执狂了)类型坚持使用)。
当然,还有其他分解方法不需要那台巨大的计算机,但是它们的效率低下,即使充其量也无法满足您的需求。经过多年的努力,即使是按照RSA标准,甚至可以破解相当小的密钥(例如512位)。
实际上,RSA本身的安全性通常是您中最低的设计使用该系统的问题。实际上,几乎所有合理的现代加密算法都是如此。当某种东西被破解时,从根本上讲,它绝不会真正破坏所涉及的基本算法,而是发现密钥分配方式,社会工程学攻击等方面的弱点。
尽管(正如我所说),通常对加密来说这是正确的,但与大多数其他加密相比,RSA更是如此。这仅仅是因为RSA的正常用例比较复杂。特别是,您通常不希望使用RSA来加密大量原始数据流。 RSA足够慢,以至于您通常不希望使用它来加密大量数据。取而代之的是,您通常将RSA与一些对称密钥(也称为私钥)加密算法(例如AES)结合使用。
同时使用两者时,首先需要获得您要向其发送数据的人的公共密钥。然后,您会生成一个正确大小的随机数,以用作所选对称算法的密钥。您使用RSA加密您的随机数,并将其发送到目标。然后,使用对称算法将该数字用作密钥,并使用对称算法对实际数据进行加密。
这意味着在实际使用中,RSA有一些弱点不一定适用于大多数对称加密算法。仅举一个显而易见的例子,如果用于为对称算法选择随机密钥的方法并非完全是随机的,则攻击者可能能够找到密钥并解密数据,而根本不会攻击RSA加密本身(是的,这是真实的,公开发布的软件中真正漏洞的来源。通常使用RSA。为了提供完美的前向保密性 1 之类的东西,实际系统通常会变得更加复杂。在这样的系统中,RSA仍然是完全正常的RSA,但是使用它的系统的其余部分仍然要复杂得多。
摘要:如果您要使用RSA加密,RSA本身的安全性可能是您最不担心的问题。从 RSA到安全的通信系统的路线有点像希腊神话和基督教圣经的扭曲组合:迷宫有一千次错误的转弯,每个迷宫都通往一个看起来完全像一个地方的地方您想走-但是如果走错了路,将使您陷入酷刑和酷刑的永恒。
1.不,我现在不会尝试描述这个,但是我敢肯定要在 Crypto上搜索它.SE 将显示一些相关结果。我可能应该补充一点,尽管RSA可以在提供PFS的系统中使用,但在实践中还是很不正常的。
I am using RSA for encryption and decryption. I've heard that it's vulnerable to attacks. Is it? How safe is it to use?
The usual attack on RSA involves factoring a large number which is the product of two very large prime numbers. The general idea behind this is that finding prime numbers is fairly easy, and multiplying them together to get a single large number is also quite easy, but if you only start with that large number, finding the factors is quite hard.
Back when they were an independent company, RSA Data Security Inc., ran a factoring challenge. IIRC, the last few prizes were won by teams from RSA DSI themselves. These were done using the General Number Field Sieve (GNFS). The typical implementation uses a large number of workstations for a few months or so to build a "factor base". Then (the hard part) you feed that to a single machine with gargantuan amounts of RAM (think terabytes as a starting point) and have it crunch for a few weeks to get the factors.
The point of that is to point out that the most common attack on RSA has a very high initial cost (i.e., getting something like a Cray supercomputer) to even get started. In all honesty, however, I don't believe any machine currently exists that can hold enough RAM to even begin an attack on something like a 1024-bit RSA key (not to mention the 2048 or even 4096-bit keys some of the paranoid types insist on using).
There are, of course, other factoring methods that don't require that huge machine, but they're enough less efficient that even at best, you'd be looking at years of work to break even a fairly small key by RSA standards -- 512 bits, for example.
Realistically, the security of RSA itself is generally the least of your concerns in designing a system that uses it. In fact, that's true of nearly all reasonably modern encryption algorithms. When something gets broken into, it's essentially never by actually breaking the fundamental algorithm involved -- it's by finding weaknesses in how keys are distributed, "social engineering" attacks, etc.
While (as I said) this tends to be true of encryption in general, it's even more consistently true with RSA than most other encryption. This is simply because the normal use-case for RSA is comparatively complex. In particular, you do not normally want to use RSA to encrypt large streams of raw data. RSA is slow enough that you generally do not want to use it to encrypt a lot of data. Instead, you typically use RSA in conjunction with some symmetric-key (aka private key) encryption algorithm such as AES.
When using the two together, you start by getting the public key of the person to whom you want to send some data. You then generate a random number of the correct size to be used as the key with the symmetric algorithm you've chosen. You encrypt your random number with RSA and send it to the target. You then use that number as the key with the symmetric algorithm, and use that symmetric algorithm to encrypt the actual data.
This means that in real use, RSA has some weaknesses that don't necessarily apply to most symmetric encryption algorithms. Just for an obvious example, if the method use to choose the "random" key for the symmetric algorithm isn't really entirely random, an attacker may be able find the key and decrypt the data, without attacking the RSA encryption itself at all (and yes, this has been the source of a real vulnerability in real, publicly released software).
Also note that what I've described above is pretty much the simplest way that RSA is normally put to use. Real systems often get considerably more complex still to provide such things as "perfect forward secrecy"1. The RSA in such a system is still perfectly normal RSA, but the rest of the system that uses it is considerably more complex still.
Summary: if you're going to use RSA encryption, the security of RSA itself is probably the least of your concerns. The route from "RSA" to "secure communication system" is a bit like something out of a twisted combination of Greek mythology and the Christian Bible: a maze with a thousand wrong turns, each of which leads to a place that looks exactly like where you wanted to go--but taking any wrong turn will damn you to an eternity of torture and torment.
1. No, I'm not going to try to describe this right now, but I'm sure searching for it on Crypto.SE will turn up some relevant results. I should probably add, however, that although RSA can be used in a system that provides PFS, it's fairly unusual in practice.
这篇关于RSA有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
