java 分解 RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/32161720/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Breaking down RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
提问by neubert
Java has a mode called RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING. What does that even mean?
Java 有一种模式叫做RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING. 那有什么意思?
RFC3447, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1, section 7.1.2 Decryption operationsays Hash and MGF are both options for RSAES-OAEP-DECRYPT. MGF is it's own function, defined in Section B.2.1 MGF1and that has it's own Hash "option" as well.
RFC3447,公钥密码学标准 (PKCS) #1:RSA 密码学规范版本 2.1,第7.1.2节解密操作说哈希和 MGF 都是 RSAES-OAEP-DECRYPT 的选项。MGF 是它自己的函数,在B.2.1 MGF1 节中定义,并且也有它自己的哈希“选项”。
Maybe the Hash "option" in RSAES-OAEP-DECRYPT and MGF1 are supposed to be the same or maybe they're not, it is unclear to me. If they are then I guess when you have RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDINGthat means sha256 should be used for both. But if they're not supposed to be the same then you could have sha256 used for RSAES-OAEP-DECRYPT and, for example, sha1 used for MGF1. And if that's the case then what function is sha256 supposed to be used for? And what hash algorithm is supposed to be used for the other function?
也许 RSAES-OAEP-DECRYPT 和 MGF1 中的哈希“选项”应该是相同的,或者可能不是,我不清楚。如果是,那么我RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING想当你拥有这意味着 sha256 应该用于两者。但是,如果它们不应该相同,那么您可以将 sha256 用于 RSAES-OAEP-DECRYPT,例如,将 sha1 用于 MGF1。如果是这种情况,那么 sha256 应该用于什么功能?另一个函数应该使用什么哈希算法?
And what does ECB mean in this context? ECB is a symmetric block cipher mode. Electronic Code Book. Maybe it's supposed to mean how Java deals with plaintext's that are larger than the modulo? Like maybe splits the plaintext into chunks that are as big as the modulo and then encrypts each one with RSA and concatenates them together? I'm just guessing..
欧洲央行在这种情况下意味着什么?ECB 是一种对称分组密码模式。电子密码本。也许它应该意味着 Java 如何处理大于模数的明文?就像可能将明文分成与模一样大的块,然后用 RSA 加密每个块并将它们连接在一起?我只是猜测..
回答by Maarten Bodewes
The default for OAEP is to use SHA-1 for MGF1. Note that the hash chosen doesn't have that much impact on the security of OAEP, so mostly it will be left to this default.
OAEP 的默认设置是对 MGF1 使用 SHA-1。请注意,选择的哈希值对 OAEP 的安全性没有太大影响,因此大多数情况下将保留此默认值。
We can easily test this by testing it against "OAEPPadding"and OAEPParameterSpec:
我们可以通过对"OAEPPadding"和进行测试来轻松测试OAEPParameterSpec:
// --- we need a key pair to test encryption/decryption
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024); // speedy generation, but not secure anymore
KeyPair kp = kpg.generateKeyPair();
RSAPublicKey pubkey = (RSAPublicKey) kp.getPublic();
RSAPrivateKey privkey = (RSAPrivateKey) kp.getPrivate();
// --- encrypt given algorithm string
Cipher oaepFromAlgo = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");
oaepFromAlgo.init(Cipher.ENCRYPT_MODE, pubkey);
byte[] ct = oaepFromAlgo.doFinal("owlstead".getBytes(StandardCharsets.UTF_8));
// --- decrypt given OAEPParameterSpec
Cipher oaepFromInit = Cipher.getInstance("RSA/ECB/OAEPPadding");
OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT);
oaepFromInit.init(Cipher.DECRYPT_MODE, privkey, oaepParams);
byte[] pt = oaepFromInit.doFinal(ct);
System.out.println(new String(pt, StandardCharsets.UTF_8));
The code will fail with a padding related exception if you substitute "SHA-256"for the MGF1 as parameter.
如果您"SHA-256"将 MGF1替换为参数,代码将失败并出现与填充相关的异常。
The reason why the extended algorithm is needed at all is compatibility with other Cipheralgorithms. Code written for e.g. "RSA/ECB/PKCS1Padding"doesn't use any parameters, let alone OAEP parameters. So without the longer string OAEP cannot function as drop in replacement.
根本需要扩展算法的原因是与其他Cipher算法的兼容性。为 eg 编写的代码"RSA/ECB/PKCS1Padding"不使用任何参数,更不用说 OAEP 参数了。因此,如果没有更长的字符串,OAEP 就不能起到替代的作用。
The mode of operation "ECB"doesn't mean anything in this context, it should have been "None"or it should have been left out completely. You can only encrypt a single block using the RSA implementation of the SunRSA provider.
操作模式"ECB"在这种情况下没有任何意义,它应该已经"None"或应该完全被排除在外。您只能使用 SunRSA 提供程序的 RSA 实现加密单个块。
If you want to encrypt more data, create a random (AES) symmetric key and encrypt that using OAEP. Then use the AES key to encrypt your specific data. This is called a hybrid cryptosystem as it uses both asymmetric and symmetric primitives to encrypt data.
如果要加密更多数据,请创建一个随机 (AES) 对称密钥并使用 OAEP 对其进行加密。然后使用 AES 密钥加密您的特定数据。这被称为混合密码系统,因为它同时使用非对称和对称原语来加密数据。
Note that OAEP is not supported in JDK 7 (1.7) or earlier. OAEP is included in the implementation requirements for Java runtimes since Java 8:
请注意,JDK 7 (1.7) 或更早版本不支持 OAEP。自 Java 8 起,OAEP 包含在 Java 运行时的实现要求中:
RSA/ECB/OAEPWithSHA-1AndMGF1Padding(1024, 2048)RSA/ECB/OAEPWithSHA-256AndMGF1Padding(1024, 2048)
RSA/ECB/OAEPWithSHA-1AndMGF1Padding(1024, 2048)RSA/ECB/OAEPWithSHA-256AndMGF1Padding(1024, 2048)
Some protocols may require you to use SHA-256 or SHA-512 within the padding, as SHA-1 is being deprecated for most use - even if it is not directly vulnerable for this kind of purpose.
某些协议可能要求您在填充中使用 SHA-256 或 SHA-512,因为 SHA-1 在大多数用途中已被弃用 - 即使它不会直接用于此类目的。
