java javax.crypto.Cipher 对 RSA 使用哪种填充
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/32033804/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Which padding is used by javax.crypto.Cipher for RSA
提问by My-Name-Is
I need to decrypt messages via RSA in order to send it over an unsecured channel, but I'm afraid of the Padding Oracle Attack. Therefore I already have asked the follwoing questions:
我需要通过 RSA 解密消息才能通过不安全的通道发送它,但我害怕Padding Oracle Attack。因此,我已经问了以下问题:
- How to verify the integrity of RSA encrypted messages?
- How to ensure message integrity for RSA ciphers by using javax.crypto.Cipher
Like suggested in the first question,
就像第一个问题中建议的那样,
However, since you are using a high level cryptographic library, this is something you shouldn't have to worry about. The writers of that library should have taken care of it.
但是,由于您使用的是高级加密库,因此您不必担心。那个图书馆的作者应该照顾它。
I shouldn't consider about. As far I know, the RSA implementation of PKCS#1 v1.5is vulnerable to the Padding Oracale Attackwhereby OAEPisn't (assumed it's implemented correctly)
我不应该考虑。据我所知,的RSA执行PKCS#1 v1.5是脆弱的Padding Oracale Attack,其中原和没有(假设正确它的实现)
Hence I want to know which padding implementation is used by javax.crypt.Cipherby Java 7
因此我想知道javax.crypt.CipherJava 7使用哪种填充实现
回答by Artjom B.
It depends on the chosen or default provider which padding is actually used when you instantiate a Cipher without fully qualifying it like:
这取决于选择的或默认的提供程序,当您在不完全限定密码的情况下实例化密码时实际使用哪个填充,例如:
Cipher.getInstance("RSA")
Doing so is a bad practice, because if you switch Java implementations, there might be different defaults and suddenly, you won't be compatible with the old ciphertexts anymore. Always fully qualify the cipher.
这样做是一种不好的做法,因为如果您切换 Java 实现,可能会有不同的默认值,并且突然之间,您将不再与旧的密文兼容。始终完全限定密码。
As I said before, the default will probably (there are many providers, one can't be sure) be PKCS#1 v1.5 padding. If you need another, you would have to specify it. If you want to use OAEP, here is a fully qualified cipher string from here:
正如我之前所说,默认值可能(有很多提供者,不能确定)是 PKCS#1 v1.5 填充。如果您需要另一个,则必须指定它。如果你想使用OAEP,这里是一个完全合格的密码字符串在这里:
Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
回答by Maarten Bodewes
That's not a good advice given in the first link to the cryptography site. You should never rely on the defaults of cryptographic libraries cryptographic algorithms. There are quite a few reasons for this:
这不是密码学站点的第一个链接中给出的好建议。您永远不应该依赖加密库加密算法的默认值。造成这种情况的原因有很多:
- Different implementations, different defaults (there are no requirements for cryptography providers concerning defaults, although most will copy the Oracle/Sun defaults);
- What's secure now may not be considered secure tomorrow, and because for backwards compatibility, you can never change the default;
- It's unclear to anybody reading your software what the default is (you could document it, but in that case you might as well write it out).
- 不同的实现,不同的默认值(密码提供者没有关于默认值的要求,尽管大多数会复制 Oracle/Sun 的默认值);
- 现在安全的东西明天可能不会被认为是安全的,因为为了向后兼容,你永远不能改变默认值;
- 任何阅读您的软件的人都不清楚默认设置是什么(您可以记录它,但在这种情况下,您最好将其写出来)。
The SunJCEProviderprovided by Oracle defaults to PKCS#1 padding ("PKCS1Padding") for historical reasons (see reason #2 above). This is not well documented.
由于历史原因SunJCEProvider,Oracle 提供的默认为 PKCS#1 填充 ( "PKCS1Padding")(请参阅上面的原因 #2)。这没有很好的记录。
At that time that default was set you basically had just the insecure textbook RSA ("NoPadding") and the PKCS#1 v1.5 version ("PKCS1Padding"or RSAES-PKCS1-v1_5in the PKCS#1 v2.1 standard). At that time RSAES-PKCS1-v1_5was definitely the more secure choice. Changing the default now to OAEP would break every RSA implementation out there that uses the default.
当时设置了默认值,您基本上只有不安全的教科书 RSA ( "NoPadding") 和 PKCS#1 v1.5 版本("PKCS1Padding"或 RSAES-PKCS1-v1_5在 PKCS#1 v2.1 标准中)。那个时候RSAES-PKCS1-v1_5绝对是比较稳妥的选择。现在将默认值更改为 OAEP 会破坏使用默认值的每个 RSA 实现。
The advice of otus (in the first link within this answer) is be better suited to protocol implementationsin libraries than to cryptographic algorithms. In the end you should be able to defend the security of the choices made, whatever you choose.
otus 的建议(在本答案的第一个链接中)更适合库中的协议实现,而不是加密算法。最后,无论您选择什么,您都应该能够捍卫所做选择的安全性。
回答by Lord Moon
The default for bouncy-castle when you just specify RSAis RSA/NONE/NOPADDING
刚指定时 bouncy-castle 的默认值RSA是RSA/NONE/NOPADDING
This is the same result as RSA/ECB/NOPADDINGas well.
这也是同样的结果RSA/ECB/NOPADDING。
