应该为此任务使用加密消息语法（CMS）吗？ [英] Should one use Cryptographic message syntax (CMS) for this task?

问题描述

我的任务是在桌面应用程序和移动设备之间传输小型二进制消息（1或2 kb长）。消息应该不对称加密（例如RSA）。从我学到的一个应该使用混合密码系统这种任务：

I've the task to transfer small binary messages (1 or 2 kb long) between a desktop application and mobile devices. The messages should be encrypted asymmetrically (RSA for instance). From what I've learned one should use a hybrid cryptosystem for this kind of task:

1. 生成随机对称密钥


2. 用对称密钥加密纯文本（例如使用AES）


3. 用公钥加密对称密钥


4. 对称键

1. Generate random symmetric key
2. Encrypt plain text with symmetric key (using AES for instance)
3. Encrypt symmetric key with public key
4. Transmit cipher text and encrypted symmetric key

我不想创建一个自己的格式来存储密文和加密的对称密钥。所以我偶然发现了CMS标准（加密消息语法）。第一眼看起来就像我所需要的。如果我正确理解标准，它嵌入密文和加密的对称密钥以及关于使用的算法的信息。

I'd like to not invent an own format for storing the cipher text and the encrypted symmetric key. So I stumbled over CMS standard (Cryptographic message syntax). At the first glance it looks exactly like what I need. If I understood the standard correctly it embeds the cipher text and the encrypted symmetric key as well as information about the used algorithms.

任何人都可以说是否应该使用CMS标准为概述任务？

Can anybody say whether one should use the CMS standard for the outlined task? Does OpenSSL's CMS support is sufficient for my needs?

Cheers，Christian

Cheers, Christian

推荐答案

CMS绝对支持您正在查找的操作序列。在缺点方面，CMS格式本身和OpenSSL API为它是相当复杂。

CMS definitely supports the operation sequence you're looking for. On the downside, both the CMS format itself and the OpenSSL API for it are rather complex.

一个小的皱纹是CMS主要运行在X.509证书，而不是公钥。你可以通过实际推出PKI或者使用自签名证书（它们基本上相当于传递裸RSA密钥，但是具有作为绑定密钥和元数据的通用格式的优点）来处理这个问题这有时是非常有用的，无论如何）。

One minor wrinkle is CMS mostly operates in terms of X.509 certificates rather than public keys. You could deal with this in your system either by actually rolling out a PKI, or just using self-signed certificates (which are basically equivalent to passing around bare RSA keys, but have the advantage of being a generic format for binding the key and metadata which is sometimes quite useful to have anyway).

OpenSSL没有CMS API的文档;最好的参考它可以找到是cms.c在OpenSSL源分布的apps /目录;该代码被构造为一个1000行主函数，这是一个有点令人不安，但它确实使用公共密钥执行加密，所以你可以使用它作为指导。

OpenSSL has next to no documentation of the CMS API; the best reference for it I could find is cms.c in the apps/ directory of the OpenSSL source distribution; the code is structured as one 1000 line main function, which is a little disturbing, but it does perform encryption with a public key so you can probably use that as a guide.

这篇关于应该为此任务使用加密消息语法（CMS）吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！