java 使用轻量级 API 生成 Bouncy Castle RSA 密钥对
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3087049/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Bouncy Castle RSA keypair generation using Lightweight API
提问by Andrey
Surprisingly enough there's very little information on the Web about using Bouncy Castle's lightweight API. After looking around for a while I was able to put together a basic example:
令人惊讶的是,Web 上关于使用 Bouncy Castle 的轻量级 API 的信息很少。环顾四周后,我能够整理出一个基本示例:
RSAKeyPairGenerator generator = new RSAKeyPairGenerator();
generator.init(new RSAKeyGenerationParameters
(
new BigInteger("10001", 16),//publicExponent
SecureRandom.getInstance("SHA1PRNG"),//prng
1024,//strength
80//certainty
));
AsymmetricCipherKeyPair keyPair = generator.generateKeyPair();
I have a basic understanding of RSA and the math that happens behind the scenes, so I understand what publicExponentand strengthare. I presume publicExponentrefers to a coprime of phi(pq)and from what I gather it can be small (like 3) as long as appropriate padding is used. However, I have no idea what certaintyrefers to (some place mentioned that it might refer to a percentage but I want to be sure). The use of SecureRandomis self-explanatory. The documentation of RSAKeyGenerationParametersis completely worthless (no surprise there). My only guess is that it has something to do with the accuracy of the generated keys, but again I want to be sure. So my question is what are appropriate values for certaintyand publicExponent?
我有RSA的一个基本的了解,并且会在幕后数学,让我明白了什么publicExponent和strength是。我猜想publicExponent是指互质phi(pq),并从我收集它可以小(如3)只要适当使用填充。但是,我不知道certainty指的是什么(有些地方提到它可能指的是百分比,但我想确定一下)。的使用SecureRandom是不言自明的。RSAKeyGenerationParameters的文档完全没有价值(这并不奇怪)。我唯一的猜测是它与生成的密钥的准确性有关,但我再次想确定。所以我的问题是certainty和 的合适值是什么publicExponent?
P.S. Please don't reply with "it depends on the context - how secure you want the information to be". It's pretty safe to assume highest degree of security (i.e. 4096-bit RSA key or greater) unless otherwise specified... I would also appreciate links to sources that give good example of the use of Bouncy Castle's Lightweight API (I'm not at all interested in the JCA implementation or any examples pertaining to it).
PS 请不要回复“这取决于上下文 - 您希望信息的安全程度”。除非另有说明,否则假设最高级别的安全性(即 4096 位 RSA 密钥或更高)是非常安全的......所有对 JCA 实现或与之相关的任何示例感兴趣的人)。
采纳答案by ZZ Coder
You are using correct values for both.
您正在为两者使用正确的值。
The publicExponent should be a Fermat Number. 0x10001 (F4) is current recommended value. 3 (F1) is known to be safe also.
publicExponent 应该是一个费马数。0x10001 (F4) 是当前推荐值。3 (F1) 也是安全的。
The RSA key generation requires prime numbers. However, it's impossible to generate absolute prime numbers. Like any other crypto libraries, BC uses probable prime numbers. The certainty indicate how certain you want the number to be prime. Anything above 80 will slow down key generation considerably.
RSA 密钥生成需要质数。但是,不可能生成绝对质数。像任何其他加密库一样,BC 使用可能的素数。确定性表明您希望数字是质数的确定性。任何高于 80 的值都会大大减慢密钥的生成速度。
Please note that RSA algorithm still works in the unlikely event that the prime number is not true prime because BC checks for relative primeness.
请注意 RSA 算法在素数不是真素数的不太可能发生的情况下仍然有效,因为 BC 检查相对素数。
回答by erickson
I'd have to delve into their source code to be "certain", but I believe that the certaintyparameter is passed straight to the BigIntegerconstructor, which says, "The probability that the new BigIntegerrepresents a prime number will exceed (1 - 1/2certainty). The execution time of this constructor is proportional to the value of this parameter."
我必须深入研究他们的源代码才能“确定”,但我相信certainty参数会直接传递给BigInteger构造函数,它说,“新BigInteger代表质数的概率将超过 (1 - 1/2确定性)。此构造函数的执行时间与此参数的值成正比。”
So, with a value of 80, there is less than 1 chance in 280that the number will not be prime. The comment suggests that the prime number generation time is linear with respect to this parameter, but you should test that to be sure if you choose to increase it. It might make sense to use a value that is consistent with the key size you are using. For example, NIST says that a 1024-bit RSA key is as strong as an 80-bit symmetric key. For a 2048-bit RSA key, you might want to use a certainty of 112 bits (the equivalent strength symmetric key size), and so on.
因此,如果值为 80,则在 2 80中该数字不是素数的可能性小于 1 。评论表明质数生成时间与此参数呈线性关系,但您应该测试以确保您是否选择增加它。使用与您使用的密钥大小一致的值可能是有意义的。例如,NIST 表示 1024 位 RSA 密钥与 80 位对称密钥一样强大。对于 2048 位 RSA 密钥,您可能希望使用 112 位的确定性(等效强度对称密钥大小),依此类推。
It sounds like you are aware of the vulnerability of using 3 as the public exponent in special cases. The value 65537 is used almost universally now.
听起来您已经意识到在特殊情况下使用 3 作为公共指数的漏洞。现在几乎普遍使用值 65537。
回答by President James K. Polk
A good reference is FIPS PUB 186-3. In particular, appendix B section 3 has many security parameters, as well as prime generation algorithms.certaintyis the number of iterations of the Miller-Rabin primality test.
FIPS PUB 186-3是一个很好的参考。特别是,附录 B 第 3 节有许多安全参数,以及素数生成算法。certainty是 Miller-Rabin 素性检验的迭代次数。
回答by goodguys_activate
See this answer on crypto.stackexchange.comfor more information on how your value of certainty should be calculated.
有关如何计算确定性值的更多信息,请参阅 crypto.stackexchange.com 上的此答案。
Preview of Pa?lo Ebermann's answer:
Pa?lo Ebermann 的回答预览:
Certainty of x bits means that the probability that something (in this case p being prime) not being true is smaller than 2?x. This is the same probability as guessing a random x-bit value correctly on the first try, hence the name.
How to select x? We want the probability of p (and q) not being prime to be small enough that a failure probability in this point is not larger than other ways the system could be broken - like guessing a symmetric key, factoring the modulus etc.
So here a correspondence table of symmetric and asymmetric key sizes should help. http://www.keylength.com/Pick the same prime certainty as you would pick an symmetric key size accompanying your public key usage.
x 位的确定性意味着某事(在这种情况下 p 是素数)不为真的概率小于 2?x。这与第一次尝试正确猜测随机 x 位值的概率相同,因此得名。
如何选择x?我们希望 p(和 q)不是质数的概率足够小,以至于在这一点上的失败概率不大于系统可能被破坏的其他方式 - 例如猜测对称密钥,分解模数等。
所以这里对称和非对称密钥大小的对应表应该会有所帮助。http://www.keylength.com/选择与您在使用公钥时选择对称密钥大小相同的主要确定性。
