RSA加密AES密钥的强度 [英] Strength of RSA Encrypting an AES Key
问题描述
我的想法是有一个私有/公共的RSA密钥对,并将公钥发给每个客户端(仅将私钥留在服务器上)。然后,每个客户端将生成自己的AES密钥,RSA加密它。然后他们将AES加密他们的数据,并将加密的数据和加密的AES密钥发送到服务器。然后,服务器将使用私钥对AES密钥进行解密,然后使用AES密钥解密数据。
是否存在我缺少的任何安全漏洞和/或有一个更好的方法来做到这一点?
这几乎是如何 SSL / TLS (检查握手部分)。唯一要使其更强的是为每个连接生成AES密钥,而不是每次使用相同的密钥。您可能还需要对来回传递的邮件进行数字签名,以避免中间人和其他欺骗性攻击。
一般来说,创建一个很好的密码系统非常困难。在可能的情况下,您应该总是倾向于现有的(受信任的)应用程序来帮助。在这种情况下,您可能会考虑使用HTTPS发送邮件,而不是创建自己的系统。
I'm currently developing a system to transmit data between client and server, and was wondering what the strength of the encryption I planned to use was.
My thought was to have a private/public RSA key pair and hand out the public key to each client (leaving the private key solely on the server). Each client would then generate their own AES key and RSA encrypt it. They would then AES encrypt their data and send the encrypted data and encrypted AES key to the server. The server would then decrypt the AES key using the private key, and then decrypt the data using the AES key.
Are there any security flaws I am missing and/or is there a better way to do this?
This is almost exactly how SSL/TLS works (check out the handshake section). The only thing to make it stronger is to generate the AES key for each connection, rather than using the same key each time. You might also want to digitally sign messages that go back and forth to avoid man-in-the-middle and other spoofing attacks.
Generally speaking, creating a good cryptosystem is very difficult. When possible, you should always favor an existing (trusted) application to help out. In this case, you might consider sending your messages using HTTPS, rather than creating your own system.
这篇关于RSA加密AES密钥的强度的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
