可以使用 RSA 加密的数据量有什么限制?
通常建议使用 RSA 加密对称密钥,然后使用对称密钥加密有效负载".
Typically it is recommended that RSA be used to encrypt a symmetric key, which is then used to encrypt the "payload".
可以使用 RSA 加密的数据量的实际(或理论上)限制是多少(我使用的是 2048 位 RSA 密钥大小).
What is the practical (or theoretical) limit to the amount of data that can be encrypted with RSA (I'm using a 2048 bit RSA keysize).
特别是,我想知道用(不同的)RSA 公钥加密 RSA 公钥(256 字节)是否安全?我在 Java 中使用 Bouncy Castle 加密库.
In particular, I'm wondering if it is safe to encrypt an RSA public key (256 bytes) with a (different) RSA public key? I'm using the Bouncy Castle crypto libraries in Java.
推荐答案
对于 n 位 RSA 密钥,直接加密(使用 PKCS#1 "old-style" padding) 适用于任意二进制消息直到 floor(n/8)-11 个字节.换句话说,对于 1024 位 RSA 密钥(128 字节),最多 117 字节.使用 OAEP(PKCS#1 新式"填充),这有点少:OAEP 使用输出长度为 h 位的散列函数;这意味着 floor(n/8)-2*ceil(h/8)-2 的大小限制:仍然是 1024 位 RSA 密钥,使用 SHA-256 作为散列函数(h = 256),这意味着最多 60 字节的二进制消息.
For a n-bit RSA key, direct encryption (with PKCS#1 "old-style" padding) works for arbitrary binary messages up to floor(n/8)-11 bytes. In other words, for a 1024-bit RSA key (128 bytes), up to 117 bytes. With OAEP (the PKCS#1 "new-style" padding), this is a bit less: OAEP use a hash function with output length h bits; this implies a size limit of floor(n/8)-2*ceil(h/8)-2: still for a 1024-bit RSA key, with SHA-256 as hash function (h = 256), this means binary messages up to 60 bytes.
用另一个 RSA 密钥加密一个 RSA 密钥没有问题(用 RSA 加密 任何 字节序列没有问题,无论这些字节代表什么),但是,当然,外部" RSA 密钥必须更大:使用旧式填充,要加密 256 字节的消息,您需要一个模数至少为 2136 位的 RSA 密钥.
There is no problem in encrypting a RSA key with another RSA key (there is no problem in encrypting any sequence of bytes with RSA, whatever those bytes represent), but, of course, the "outer" RSA key will have to be bigger: with old-style padding, to encrypt a 256-byte message, you will need a RSA key with a modulus of at least 2136 bits.
混合模式(您使用随机对称密钥加密数据并使用尽管如此,还是建议将 RSA 用作一般情况,这只是因为它们没有任何实际的大小限制,而且还因为它们可以更容易地用另一种密钥交换算法(例如 Diffie-Hellman)替换 RSA 部分.
Hybrid modes (you encrypt data with a random symmetric key and encrypt that symmetric key with RSA) are nonetheless recommended as a general case, if only because they do not have any practical size limits, and also because they make it easier to replace the RSA part with another key exchange algorithm (e.g. Diffie-Hellman).
相关文章