是否有可能获得 RSA 私钥知道公钥和一组“原始数据=>加密数据"?条目? [英] Is it possible to get RSA private key knowing public key and set of "original data=>encrypted data" entries?
问题描述
我从事允许插件访问不同功能集的应用程序,每个插件都提供初始化字符串",用于设置对不同功能的访问级别.开发人员将这些字符串发送给我,我使用我的 1024 位 RSA 私钥对它们进行加密并将编码数据发回.启动时,我的应用程序使用内置公钥解码编码数据(编码初始化字符串),如果解码数据!= 初始化字符串"它无法启动.
I work on apllication which allows plugins to access different set of functionality, every plugin provides "initialization string" which sets level of access to different features. Developers send me this strings, and I encrypt them using my 1024 bit RSA private key and send encoded data back. When started, my application decodes encoded data(encoded initialisation string) using built-in public key and if "decoded data != initialization string" it fails to start.
那么,是否有可能使用初始化字符串"=>编码初始化字符串"(从其他插件中提取)的数据库来破解我的私钥,或者可以在合理的时间内对其进行暴力破解?
So, is it possible to use a database of "initialization string" => "encoded initialization string"(extracted from other plugins) to crack my private key, or make it possible to bruteforce it in reasonable time?
推荐答案
当您说使用 RSA 私钥加密"时,您实际上并不是在加密事物.这是一个历史性的混乱.您正在做的是一个数字签名,插件会使用相应的公钥对其进行验证.混淆来自这样一个事实,即在适当的情况下,RSA 签名可以被视为一种反向加密",私钥首先起作用.然而,它在一些细节上有所不同(例如填充和哈希函数的参与),这使得它在实现方面大不相同.
When you say that you "encrypt with a RSA private key" then you are not actually encrypting things. This is an historical bit of confusion. What you are doing is a digital signature which the plugin verifies with the corresponding public key. The confusion comes from the fact that, under an adequate light, RSA signatures can be seen as a kind of "reverse encryption" with the private key acting first. However, it differs in some details (e.g. padding, and involvement of a hash function) which make it quite different when it comes to implementation.
如果您使用的是适当的 RSA 数字签名方案(例如,PKCS#1,第 8 节带附录的签名方案"),具有通过正确实施生成的足够大的 RSA 密钥(1024 位或更多)密钥生成算法,然后攻击者没有已知的、计算上可行的方法来利用您生成的签名来伪造新签名(并且更不用说,破解RSA 私钥).无论如何都无法证明您的签名对攻击者没有帮助,但 30 年来对该主题的公开研究并没有发现这样的漏洞.
If you are using a proper RSA digital signature scheme (e.g. one of those described in PKCS#1, section 8 "signature schemes with appendix"), with an adequately large RSA key (1024 bits or more) generated through a correctly implemented key generation algorithm, then there is no known, computationally feasible way for an attacker to leverage the signatures you have produce in order to forge new signatures (and, a fortiori, crack the RSA private key). It is in no way proven that your signatures do not help the attacker, but 30 years of public research on the subject have not come up with such a breach.
但是请注意,使用细节,特别是填充(初始部分,将待签名数据转换为 RSA 的数学核心可以处理的大数字)已被证明是微妙的;许多提出的填充方法已被成功攻击.PKCS#1 填充已经被审查了很长一段时间(v1.5"填充被审查了二十年)并且到目前为止一直抵制所有此类尝试.ISO 9796"系列填充物表现不佳,许多变体已被破坏.
Note, though, that usage details, in particular padding (the initial part, which transforms the to-be-signed data into a big number that the mathematical core of RSA can process) have been shown to be delicate; many proposed ways to do the padding have been successfully attacked. The PKCS#1 paddings have been under scrutiny for quite some time (two decades for the "v1.5" padding) and have resisted all such attempts so far. The "ISO 9796" family of paddings did not fare that well, many variants having been broken.
如果您没有根据完善的标准(即 PKCS#1)计算您的签名,那么您就是在自找麻烦.不要那样做.幸运的是,大多数 RSA 实现(在加密库和编程语言/环境中)都遵循 PKCS#1.
If you are not computing your signatures according to a well-established standard (i.e. PKCS#1), then you are looking for trouble. Do not do that. Fortunately, most RSA implementations (in cryptographic libraries and programming languages / environments) follow PKCS#1.
这篇关于是否有可能获得 RSA 私钥知道公钥和一组“原始数据=>加密数据"?条目?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
