RSA 块的数据过多失败.什么是 PKCS#7?
谈javax.crypto.Cipher
我尝试使用 Cipher.getInstance("RSA/None/NoPadding", "BC")
加密数据,但出现异常:
I was trying to encrypt data using Cipher.getInstance("RSA/None/NoPadding", "BC")
but I got the exception:
ArrayIndexOutOfBoundsException: too much data for RSA block
看起来与NoPadding"有关,因此,阅读有关填充的内容,看起来 CBC 是在这里使用的最佳方法.
Looks like is something related to the "NoPadding", so, reading about padding, looks like CBC is the best approach to use here.
我在谷歌上找到了一些关于RSA/CBC/PKCS#7"的东西,这个PKCS#7"是什么?以及为什么它没有列在 sun 的标准算法名称?
I found at google something about "RSA/CBC/PKCS#7", what is this "PKCS#7"? And why its not listed on sun's standard algorithm names?
更新:
我想知道,如果是填充问题,为什么这个例子运行得很好?
I'm wondering, if is a padding problem, why this example run just fine?
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPrivateKeySpec;
import java.security.spec.RSAPublicKeySpec;
import javax.crypto.Cipher;
/**
* Basic RSA example.
*/
public class BaseRSAExample
{
public static void main(
String[] args)
throws Exception
{
byte[] input = new byte[] { (byte)0xbe, (byte)0xef };
Cipher cipher = Cipher.getInstance("RSA/None/NoPadding", "BC");
KeyFactory keyFactory = KeyFactory.getInstance("RSA", "BC");
// create the keys
RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(
new BigInteger("d46f473a2d746537de2056ae3092c451", 16),
new BigInteger("11", 16));
RSAPrivateKeySpec privKeySpec = new RSAPrivateKeySpec(
new BigInteger("d46f473a2d746537de2056ae3092c451", 16),
new BigInteger("57791d5430d593164082036ad8b29fb1", 16));
RSAPublicKey pubKey = (RSAPublicKey)keyFactory.generatePublic(pubKeySpec);
RSAPrivateKey privKey = (RSAPrivateKey)keyFactory.generatePrivate(privKeySpec);
// encryption step
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
byte[] cipherText = cipher.doFinal(input);
// decryption step
cipher.init(Cipher.DECRYPT_MODE, privKey);
byte[] plainText = cipher.doFinal(cipherText);
}
}
更新 2:
我意识到即使我只使用 Cipher.getInstance("RSA", "BC")
也会引发相同的异常.
I realized that even if I use just Cipher.getInstance("RSA", "BC")
it throws the same exception.
推荐答案
如果你使用分组密码,你输入的必须是分组比特长度的精确倍数.
If you use a block cipher, you input must be an exact multiple of the block bit length.
为了加密任意长度的数据,您首先需要将数据填充到块长度的倍数.这可以用任何方法完成,但有许多标准.PKCS7 是一个很常见的,你可以在关于 padding 的维基百科文章中查看 概述.
In order to encipher arbitrary length data, you need first to pad you data to a multiple of the block length. This can be done with any method, but there are a number of standards. PKCS7 is one which is quite common, you can see an overview on the wikipedia article on padding.
由于块密码器对块进行操作,因此您还需要想出一种连接加密块的方法.这非常重要,因为幼稚的技术大大降低了加密的强度.还有一篇关于此的维基百科文章.
Since block cipers operate on blocks, you also need to come up with a way of concatenating the encrypted blocks. This is very important, since naive techniques greatly reduce the strength of the encryption. There is also a wikipedia article on this.
您所做的是尝试加密(或解密)长度与密码的块长度不匹配的数据,并且您还明确要求不进行填充和链接操作模式.
What you did was to try to encrypt (or decrypt) data of a length which didn't match the block length of the cipher, and you also explicitly asked for no padding and also no chaining mode of operation.
因此,分组密码无法应用于您的数据,并且您收到了报告的异常.
Consequently the block cipher could not be applied to your data, and you got the reported exception.
更新:
作为对您的更新和 GregS 评论的回应,我想承认 GregS 是对的(我不知道 RSA),并详细说明一下:
As a response to your update and GregS's remark, I would like to acknowledge that GregS was right (I did not know this about RSA), and elaborate a bit:
RSA 不对位进行操作,而是对整数进行操作.因此,为了使用 RSA,您需要将您的字符串消息转换为整数 m:0 <米<n
,其中 n
是在生成过程中选择的两个不同素数的模数.RSA 算法中密钥的大小通常是指n
.有关这方面的更多详细信息,请参阅关于 RSA 的维基百科文章.
RSA does not operate on bits, it operates on integer numbers. In order to use RSA you therefore need to convert your string message into an integer m: 0 < m < n
, where n
is the modulus of the two distinct primes chosen in the generation process. The size of a key in the RSA algorithm typically refers to n
. More details on this can be found on the wikipedia article on RSA.
将字符串消息转换为整数而不丢失(例如截断初始零)的过程,通常遵循 PKCS#1 标准.此过程还为消息完整性(哈希摘要)、语义安全(IV)等添加了一些其他信息.有了这个额外的数据,可以提供给 RSA/None/PKCS1Padding 的最大字节数是 (keylength - 11).我不知道 PKCS#1 如何将输入数据映射到输出整数范围,但是我的印象是它可以输入小于或等于 keylength - 11 的任何长度,并为 RSA 加密生成一个有效的整数.
The process of converting a string message to an integer, without loss (for instance truncating initial zeroes), the PKCS#1 standard is usually followed. This process also adds some other information for message integrity (a hash digest), semantical security (an IV) ed cetera. With this extra data, the maximum number of bytes which can be supplied to the RSA/None/PKCS1Padding is (keylength - 11). I do not know how PKCS#1 maps the input data to the output integer range, but my impression is that it can take any length input less than or equal to keylength - 11 and produce a valid integer for the RSA encryption.
如果您不使用填充,您的输入将被简单地解释为一个数字.您的示例输入 {0xbe, 0xef} 很可能会被解释为 {10111110 +o 11101111} = 1011111011101111_2 = 48879_10 = beef_16(原文如此!).由于 0 <牛肉_16
If you use no padding, your input will simply be interpreted as a number. Your example input, {0xbe, 0xef} will most probably be interpreted as {10111110 +o 11101111} = 1011111011101111_2 = 48879_10 = beef_16 (sic!). Since 0 < beef_16 < d46f473a2d746537de2056ae3092c451_16, your encryption will succeed. It should succeed with any number less than d46f473a2d746537de2056ae3092c451_16.
bouncycastle 常见问题解答中提到了这一点.他们还声明了以下内容:
This is mentioned in the bouncycastle FAQ. They also state the following:
附带的 RSA 实现充气城堡只允许加密单个数据块.RSA算法不适合流数据,不应使用那样.在这种情况下你应该使用加密数据随机生成的密钥和一个对称的密码,之后你应该加密使用 RSA 随机生成的密钥,然后发送加密数据和对方的加密随机密钥结束他们可以逆转过程的地方(即使用解密随机密钥他们的 RSA 私钥,然后解密数据).
The RSA implementation that ships with Bouncy Castle only allows the encrypting of a single block of data. The RSA algorithm is not suited to streaming data and should not be used that way. In a situation like this you should encrypt the data using a randomly generated key and a symmetric cipher, after that you should encrypt the randomly generated key using RSA, and then send the encrypted data and the encrypted random key to the other end where they can reverse the process (ie. decrypt the random key using their RSA private key and then decrypt the data).
相关文章