分解 RSA/ECB/OAEPWithSHA-256AndMGF1Padding [英] Breaking down RSA/ECB/OAEPWithSHA-256AndMGF1Padding
问题描述
Java 有一个名为 RSA/ECB/OAEPWithSHA-256AndMGF1Padding 的模式.这到底是什么意思?
Java has a mode called RSA/ECB/OAEPWithSHA-256AndMGF1Padding. What does that even mean?
RFC3447、公钥密码学标准 (PKCS) #1:RSA 加密规范 2.1 版,7.1.2 解密操作部分说 Hash 和 MGF 都是 RSAES-OAEP-DECRYPT 的选项.MGF 是它自己的函数,在B.2.1 MGF1 部分 中定义,并且具有它自己的哈希选项".
RFC3447, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1, section 7.1.2 Decryption operation says Hash and MGF are both options for RSAES-OAEP-DECRYPT. MGF is it's own function, defined in Section B.2.1 MGF1 and that has it's own Hash "option" as well.
也许是哈希选项"在 RSAES-OAEP-DECRYPT 和 MGF1 中应该是相同的,或者可能不是,我不清楚.如果它们是,那么我猜当你有 RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING 时,这意味着 sha256 应该用于两者.但是,如果它们不应该相同,那么您可以将 sha256 用于 RSAES-OAEP-DECRYPT,例如,将 sha1 用于 MGF1.如果是这种情况,那么 sha256 应该用于什么功能?另一个函数应该使用什么哈希算法?
Maybe the Hash "option" in RSAES-OAEP-DECRYPT and MGF1 are supposed to be the same or maybe they're not, it is unclear to me. If they are then I guess when you have RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING that means sha256 should be used for both. But if they're not supposed to be the same then you could have sha256 used for RSAES-OAEP-DECRYPT and, for example, sha1 used for MGF1. And if that's the case then what function is sha256 supposed to be used for? And what hash algorithm is supposed to be used for the other function?
在这种情况下,欧洲央行是什么意思?ECB 是一种对称分组密码模式.电子密码本.也许它应该意味着 Java 如何处理大于模数的明文?就像可能将明文分成与模一样大的块,然后用 RSA 加密每个块并将它们连接在一起?我只是猜测..
And what does ECB mean in this context? ECB is a symmetric block cipher mode. Electronic Code Book. Maybe it's supposed to mean how Java deals with plaintext's that are larger than the modulo? Like maybe splits the plaintext into chunks that are as big as the modulo and then encrypts each one with RSA and concatenates them together? I'm just guessing..
推荐答案
OAEP 的默认设置是对 MGF1 使用 SHA-1(但请参阅此答案末尾的编辑).请注意,选择的哈希值对 OAEP 的安全性没有太大影响,因此大多数情况下将保留此默认值.
The default for OAEP is to use SHA-1 for MGF1 (but see the edit on the end of this answer). Note that the hash chosen doesn't have that much impact on the security of OAEP, so mostly it will be left to this default.
我们可以通过针对 "OAEPPadding" 和 OAEPParameterSpec 对其进行测试来轻松测试:
We can easily test this by testing it against "OAEPPadding" and OAEPParameterSpec:
// --- we need a key pair to test encryption/decryption
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024); // speedy generation, but not secure anymore
KeyPair kp = kpg.generateKeyPair();
RSAPublicKey pubkey = (RSAPublicKey) kp.getPublic();
RSAPrivateKey privkey = (RSAPrivateKey) kp.getPrivate();
// --- encrypt given algorithm string
Cipher oaepFromAlgo = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
oaepFromAlgo.init(Cipher.ENCRYPT_MODE, pubkey);
byte[] ct = oaepFromAlgo.doFinal("owlstead".getBytes(StandardCharsets.UTF_8));
// --- decrypt given OAEPParameterSpec
Cipher oaepFromInit = Cipher.getInstance("RSA/ECB/OAEPPadding");
OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT);
oaepFromInit.init(Cipher.DECRYPT_MODE, privkey, oaepParams);
byte[] pt = oaepFromInit.doFinal(ct);
System.out.println(new String(pt, StandardCharsets.UTF_8));
如果您将 MGF1 替换为 "SHA-256" 作为参数,代码将失败并出现与填充相关的异常.
The code will fail with a padding related exception if you substitute "SHA-256" for the MGF1 as parameter.
之所以需要扩展算法,是因为与其他Cipher算法兼容.为例如编写的代码"RSA/ECB/PKCS1Padding" 不使用任何参数,更不用说 OAEP 参数了.因此,如果没有更长的字符串,OAEP 就不能起到替代的作用.
The reason why the extended algorithm is needed at all is compatibility with other Cipher algorithms. Code written for e.g. "RSA/ECB/PKCS1Padding" doesn't use any parameters, let alone OAEP parameters. So without the longer string OAEP cannot function as drop in replacement.
操作模式 "ECB" 在这个上下文中没有任何意义,它应该是 "None" 或者它应该被完全排除.您只能使用 SunRSA 提供程序的 RSA 实现加密单个块.
The mode of operation "ECB" doesn't mean anything in this context, it should have been "None" or it should have been left out completely. You can only encrypt a single block using the RSA implementation of the SunRSA provider.
如果您想加密更多数据,请创建一个随机 (AES) 对称密钥并使用 OAEP 对其进行加密.然后使用 AES 密钥加密您的特定数据.这被称为混合密码系统,因为它同时使用非对称和对称原语来加密数据.
If you want to encrypt more data, create a random (AES) symmetric key and encrypt that using OAEP. Then use the AES key to encrypt your specific data. This is called a hybrid cryptosystem as it uses both asymmetric and symmetric primitives to encrypt data.
请注意,JDK 7 (1.7) 或更早版本不支持 OAEP.自 Java 8 起,OAEP 包含在 Java 运行时的实现要求中:
Note that OAEP is not supported in JDK 7 (1.7) or earlier. OAEP is included in the implementation requirements for Java runtimes since Java 8:
RSA/ECB/OAEPWithSHA-1AndMGF1Padding(1024, 2048)RSA/ECB/OAEPWithSHA-256AndMGF1Padding(1024, 2048)
RSA/ECB/OAEPWithSHA-1AndMGF1Padding(1024, 2048)RSA/ECB/OAEPWithSHA-256AndMGF1Padding(1024, 2048)
某些协议可能要求您在填充中使用 SHA-256 或 SHA-512,因为 SHA-1 在大多数用途中已被弃用 - 即使它不会直接用于此类目的.
Some protocols may require you to use SHA-256 or SHA-512 within the padding, as SHA-1 is being deprecated for most use - even if it is not directly vulnerable for this kind of purpose.
这主要是用 Java 编写的.到目前为止,许多其他库似乎采取了一些不同的方法,并对(大部分为空的)标签和 MGF1 使用相同的哈希.如果您有一个无效的 OAEP 密文,您应该首先确保使用了正确的默认值".选择自己的默认值是不可能错误的任何库实现;最后由协议来定义所使用的哈希值.不幸的是,不存在强制默认值 - 如果协议所有者忘记完全指定算法的配置,这尤其成问题.
this was written mostly with Java in mind. By now many other libraries seem to take a somewhat different approach and use the same hash for the (mostly empty) label and MGF1. If you have an invalid OAEP ciphertext you should first make sure that the right "default" is being used. It is impossible to wrong any library implementation for choosing their own default; in the end it is up to the protocol to define the hashes used. Unfortunately no mandatory default exists - which is especially a problem if protocol owners forget to fully specify a configuration for the algorithms.
这篇关于分解 RSA/ECB/OAEPWithSHA-256AndMGF1Padding的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
