可以用私钥加密/用公钥解密吗? [英] Can one encrypt with a private key/decrypt with a public key?
问题描述
[免责声明:我知道,如果你对加密有任何了解,你可能会告诉我为什么我做错了 - 我已经做了足够多的谷歌搜索,知道这似乎是典型的反应.]
假设以下情况:您有一个中央机构想要为给定的域发布登录 cookie.在这个域中,您不一定信任每个人,但您有几个应该能够读取 cookie 的关键端点.我说几个,但实际上这个受信任的"合作伙伴的数量可能很大.cookie 不包含太多信息 - 用户名、时间戳、到期时间、随机数.当然,出于性能原因,即使在加密之后(在合理范围内),它也应该保持较小.现在,有两个安全问题:
1) 我们不相信此域上的每个网络服务器都有用户数据.因此,读取 cookie 的能力应仅限于这些受信任的合作伙伴.2) 虽然我们相信这些合作伙伴会保护我们用户的数据,但我们仍然希望中央权威点是不可伪造的(同样,在合理范围内).
现在,如果我们为权威生成一个私有的 RSA 密钥并将其保密,并将公钥仅分发给受信任的伙伴",我们应该能够使用私有密钥进行加密,并且任何人都可以读取它公钥.我不清楚的是,是否仍然需要对消息进行签名,或者解密行为是否可以证明它是用私钥生成的?与将对称密钥分发给所有相关方并使用它进行加密,而仅使用私钥进行签名相比,这种方案是否会更好或更差?当然,请随时告诉我这是一个愚蠢的想法,但请记住,实际论证可能比重复爱丽丝和鲍勃更有说服力.
哦,如果有任何有用的陷阱",尽管可以在 Google 上找到基础知识,但欢迎提供实现指针!
您应该使用某种数字签名方案,或其他旨在解决您的场景完整性问题的机制.
加密本身是不够的.你怎么知道解密的消息应该是什么?解密使用正确密钥加密的 cookie 肯定会提供有效"的 cookie,但是当您解密使用错误密钥加密的 cookie 时会发生什么?还是只是一些无意义的数据?好吧,您可能只会得到一个看起来有效的 cookie!(时间戳在您认为有效的范围内,用户名是合法的,随机数是……呃……一个数字,等等).
在我知道的大多数非对称加密算法中,没有内置验证.这意味着用错误的密钥解密消息不会失败"——它只会给你一个错误的明文,你必须将其与有效的明文区分开来.这就是完整性发挥作用的地方,最常见的是使用数字签名.
顺便说一句,RSA 被长期研究并且有几个陷阱",因此如果您打算从头开始实施它,您最好提前阅读如何避免创建相对容易破解"的密钥.
[Disclaimer: I know, if you know anything about crypto you're probably about to tell me why I'm doing it wrong - I've done enough Googling to know this seems to be the typical response.]
Suppose the following: you have a central authority that wants to issue login cookies for a given domain. On this domain, you don't necessarily trust everyone, but you have a few key end-points who should be able to read the cookie. I say a few, but in practice this number of "trusted" partners may be large. The cookie doesn't contain much information - a username, a timestamp, an expiry, a random number. It should remain small of course, for performance reasons, even after encryption (within reason). Now, there are two security issues:
1) We don't trust every webserver on this domain with user data. For this reason, the ability to read the cookie should be restricted to these trusted partners. 2) While we trust these partners to protect our user's data, we'd still like the central point of authority to be unforgeable (again, within reason).
Now, if we generate a private RSA key for the authority and keep it secret, and distribute the public key only to the "trusted partners", we should be able to encrypt with the private key and have it readable by anyone with the public key. What I'm unclear on is, would it still be necessary to sign the message, or would the act of decrypting be evidence that it was generated with the private key? Is this any way in which this scheme would be better or worse than disseminating a symmetric key to all parties involved and using that to encrypt, while using the private key merely to sign? And of course feel free to tell me all the ways this is a stupid idea, but bear in mind that practical arguments will probably be more convincing than rehashing Alice and Bob.
Oh, and implementation pointers would be welcome, though one can find the basics on Google, if there are any "gotchas" involved that would be useful!
You should use a digital sigantures scheme of some sort, or some other mechanism that is aimed to solve the integrity problem of your scenario.
The encryption itself isn't enough. How would you know that the decrypted messege is what it should be? Decrypting a cookie encrypted with the right key will surely provide a "valid" cookie, but what happens when you decrypt a cookie encrypted with the wrong key? or just some meaningless data? well, you might just get a cookie that looks valid! (the timestamps are in the range you consider valid, the username is legal, the random number is... uh... a number, etc.).
In most asymmetric encryption algorithms I know off, there is no built-in validation. That means that decrypting a message with the wrong key will not "fail" - it will only give you a wrong plaintext, which you must distinguish from a valid plaintext. This is where integrity comes to play, most commonly - using digital signatures.
BTW, RSA is long studied and has several "gotchas", so if you plan to implement it from scratch you better read ahead on how to avoid creating "relatively easy to break" keys.
这篇关于可以用私钥加密/用公钥解密吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
