SUN JCE/Oracle JCE 中的默认 RSA 填充

2022-01-10 00:00:00 cryptography java jce

您能帮我指出默认的 RSA 填充是什么吗?

Could you help me to point out what is the default RSA padding.

确切地说,如果我创建如下密码实例,确保 java 使用某种填充作为加密文本字节长度始终显示 256 字节的 2048 RSA 密钥,无论纯文本是一个字符还是 10 个字符.

Precisely, if I create cipher instance as below, sure java is using some sort of padding as encrypted text bytes length always shows 256 bytes for 2048 RSA key irrespective of plain text is one characters or 10 characters.

Cipher.getInstance("RSA")  

如果在 Cipher.getInstance("RSA") 中没有指定填充,我想知道 java 内部使用的默认填充是什么.那是 PKCS#1 v 1.5 吗?

I wanted to know what is default padding java use internally if no padding is specified in Cipher.getInstance("RSA"). is that PKCS#1 v 1.5?

谢谢,山姆

推荐答案

"RSA/ECB/PKCS1Padding" 相同,其中 ECB 有点用词不当,因为它没有实现块密码操作模式(它不处理大于块大小"的明文)."RSA/None/PKCS1Padding" 会是一个更好的名称,或者 "RSA/None/RSASSA-PKCS1-v1_5" 因为您对填充机制的猜测是正确的.

It's identical to "RSA/ECB/PKCS1Padding" where ECB is a bit of a misnomer, as it does not implement a block cipher mode of operation (it doesn't handle plaintext larger than the "block size"). "RSA/None/PKCS1Padding" would have been a better name or "RSA/None/RSASSA-PKCS1-v1_5" as your guess about the padding mechanism is correct.

这意味着它使用的是旧的加密模式;OAEP 更能抵御攻击并包含安全证明.不幸的是,OAEP 当然不能成为新的默认值,因为所有现有的密文都不会再解密了.这就是为什么首先使用默认值是愚蠢的原因之一.

This means that it uses a older mode of encryption; OAEP is more resistant against attacks and contains a security proof. Unfortunately OAEP can of course not be made the new default because all existing ciphertext would not decrypt anymore. This is one of the reasons why using defaults is stupid in the first place.

PKCS#1 v1.5 填充也意味着输入被限制为最大密钥大小减去 11 个字节.请注意,生成的密文的大小始终与 PKCS#1 中的密钥大小相同;即使得到的整数更小,它也会用零字节填充.我在这里假设密钥大小是 8 的倍数.

PKCS#1 v1.5 padding also means that the input is restricted to a maximum of the key size minus 11 bytes. Note that the size of the resulting ciphertext is always identical to the key size in PKCS#1; even if the resulting integer is smaller it will be left padded with zero bytes. I'm assuming here that the key size is a multiple of 8.

您不应该依赖算法规范的默认值.它使代码更难理解,并且每个提供者的默认值可能确实不同(尽管大多数人会尝试遵循 Oracle 的领导,以避免不兼容).因此,仅使用它来了解现有代码中配置了哪种算法.在我看来,平台默认设置唯一有意义的地方是 SecureRandom.

You should not rely on defaults for the algorithm specification. It makes the code harder to understand and defaults may indeed differ per provider (although most will try to follow Oracle's lead, to avoid incompatibilities). So use this only to understand which algorithm is configured in existing code. The only place where a platform default makes sense is SecureRandom in my opinion.

相关文章