是否可以以与解密不同的顺序进行加密?
是否可以按一种顺序加密并按另一种顺序解密?例如,我有以下内容:
- plain_text.txt
- 公钥/私钥对 1
- 公钥/私钥对 2
示例
加密:
public1(public2(plain_text.txt))
解密:
private1(private2(encrypted))
是否有任何加密算法允许这样做?有可能吗?
Is it possible to encrypt in one order and decrypt in another? For example I've got the following:
- plain_text.txt
- Public/Private Key pair 1
- Public/Private Key pair 2
Example
Encryption:
public1(public2(plain_text.txt))
Decryption:
private1(private2(encrypted))
Is there any encryption algorithm that allows this? Is it even possible?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
在大多数情况下,您无法更改解密顺序。
允许重新排序解密的方案称为交换密码系统。
一种可用于构建可交换密码系统的公钥密码系统是
ElGamal 加密。
这只是主要思想:假设 g 是
一个合适的群 G,计算离散对数是困难的。
设 xA 和 xB 是两个私钥,
hA = g xA ,并且
hB = g xB
是对应的公钥。两个密钥对使用相同的组
G(即,如果我们使用 G = Z/(p),则模数 p 相同)。这是其优点之一
ElGamal 方案认为,如果两个用户共享相同的组(或模数),它仍然是安全的。
另一方面,RSA 将是不安全的。
用 hA 加密消息 m 给出密文
请注意,知道密钥 xA 就可以解密,因为
加密密文a第二次首先会重新加密现有的
A 的公钥的密文。
他选择一个随机的 r' 并计算
结果只是使用 A 的公钥进行的另一次有效加密。
这种重新加密对于避免有效的攻击是必要的
与具有等模的 RSA 相比,如下所示。
接下来,一个人将使用 B 的公钥进行加密
可以按任意顺序解密,例如知道 xA 允许计算
因此可以计算
这正是我们想要的:用 B 的公钥对 m 进行加密。
为了获得安全的实施,需要观察许多微妙之处。
做到这一点并不容易。
有关更多信息,请参阅 Stephen Weis 的博士学位 ,其中包含有关交换加密的一章。
如果用“教科书 RSA”尝试相同的想法,则会出现许多问题。首先,为了使加密可交换,用户 A 和 B 必须共享相同的模数。
例如,A 使用 (n, eA, dA),B 使用 (n, eB, dB),其中 n 是模数,eA、eB 是公钥,dA、dB > 密钥。然而,知道例如 (n, eA, dA) 就可以分解 n,从而计算 B 的密钥,这当然是一个很大的缺陷。
现在我们可以将 m 加密为
再次加密为
用 A 的密钥解密
并用B的密钥再次解密得到m。看起来不错,直到有人注意到
攻击者可以拦截两个密文 c = meA mod n 和 c' = meB mod n 可以使用欧几里得算法来找到 r,s,这样
然后计算
这个想法也与另一个答案中提出的使用 RC4 的解决方案相悖。韦斯的论文详细描述了这次攻击。
In most cases you can't change the order of the decryption.
Schemes that allow to reorder decryption are called commutative cryptosystems.
One public key cryptosystem that can be used to build a commutative cryptosystem is
the ElGamal encryption.
Here is just the main idea: Assume g is a generator of
a suitable group G, for which computing discrete logarithms is hard.
Let xA and xB be two private keys,
hA = g xA , and
hB = g xB
be the corresponding public keys. Both keys pairs use the same group
G (i.e. the same modulus p if we use G = Z/(p)). It is one advantage of the
ElGamal scheme that it still is secure if two users share the same group (or modulus).
RSA on the other hand will be insecure.
Encrypting a message m with hA gives the ciphertext
Note that knowing the secret key xA allows to decrypt because
To encrypt the ciphertext a second time one would first re-encrypt the existing
ciphertext with A's public key.
He chooses a random r' and computes
The result is just another valid encryption with A's public key.
This re-encryption is necessary to avoid an attack that works for example
against RSA with equal modulus as shown below.
Next, one would encrypt with B's public key giving
Decryption is possible in either order, e.g. knowing xA allows to compute
and hence one can compute
which is just what we want: an encryption of m with B's public key.
There are a number of subtleties that need to be observed to get a secure implementation.
And getting this right isn't easy.
For more info see for example the Phd of Stephen Weis, which contains a chapter on commutative encryption.
There are a number of problems if the same idea is tried with "textbook RSA". First to make the encryption commutative it is necessary that both users A and B share the same modulus.
E.g. A uses (n, eA, dA) and B uses (n, eB, dB), where n is the modulus, eA, eB the public keys and dA, dB the secret keys. However, knowing for example (n, eA, dA) allows to factor n, and hence compute B's secret key, which is of course one big flaw.
Now we could encrypt m as
encrypt again as
decrypt with A's secret key giving
and decrypt again with B's secret key to get m. That looks fine until one notices that
an attacker who can intercept the two ciphertexts c = meA mod n and c' = meB mod n can use Euclid's algorithm to find r,s such that
and then compute
The idea also works against the solution using RC4 proposed in another answer. Weis's thesis contains a detailed description of the attack.
对于 RSA 的大多数公开实现来说,这是不可能的。解密例程期望明文采用特定格式(即正确填充),如果不是,则会失败。同样,在加密时,它会对明文应用填充,而不是按原样使用 blob。
/*
RSA 的数学允许这一点,AFAIK,只要两个密钥的模是互质的(这几乎总是正确的)。但您可能必须推出自己的实现。
*/
另一个问题是明文块的数值应该小于模数。因此,第一个密钥的模数应小于第二个密钥的模数,否则无法保证第一个密文是第二轮加密的正确明文。
我依稀记得 OpenSSL 有一个无填充模式。你可能会有一些运气。
编辑:一般来说,在 99.9% 的情况下,提出自己的加密原语是一个坏主意。如果你的兴趣纯粹是学术,那就来吧;但是,如果您追求特定的应用功能(即加密某些内容,以便需要两个不信任方的同意才能解密),那么您肯定走错了路。
EDIT2:如果模数相同,RSA 的数学允许这样做。划掉第二段。但是让两个密钥共享相同的模数会极大地损害安全性。如果 Alice 拥有私钥 (m, d) 并且 Cindy 作为私钥 (m, d') - 假设 m 相同 - 那么 Alice 可以在 O(m) 时间内确定 d',给定来自 Cindy 的单个明文/密文对。不好。
With most public implementations of RSA it would not be possible. The decryption routine expects the plaintext to be in a specific format (i. e. properly padded) and fails if it's not. Again, on encryption it would apply padding to the plaintext, instead of using the blob as it is.
/*
The math of RSA allows for that, AFAIK, as long as the moduli of the two keys are coprime (which is true almost always). But you'll probably have to roll your own implementation.
*/
Another problem is that the numeric value of the plaintext block should be smaller than the modulus. So the modulus of the first key should be smaller than that of the second key, otherwise no guarantee that the first cyphertext would be a proper plaintext for the second encryption round.
OpenSSL has, I vaguely recall, a no-padding mode. You might have some luck with that.
EDIT: in general, coming up with your own cryptographic primitives is a bad idea in 99.9% cases. If your interest is purely academic, then be my guest; but if you're after a specific piece of applied functionality (i. e. encrypt something so that the consent of two nontrusting parties is needed to decrypt), then you're definitely on the wrong track.
EDIT2: the math of RSA allows for that if the moduli are identical. Scratch paragraph two. But having two keys share the same modulus compromises security very much. If Alice has private key (m, d) and Cindy as private key (m, d') - assuming same m - then Alice can determine d' in O(m) time, given a single plaintext/cyphertext pair from Cindy. Not good.
对于公钥/私钥加密,答案是否定的。
PubK1(PubK2(plain.text))=>;加密的文本。您必须使用PrivK2(PrivK1(encrypted.text))进行解密。但是,如果您使用对称流密码(例如 RC4),则可以更改解密顺序(A xor B xor C = C xor B xor A)。但这显然不是公钥/私钥算法。
With public key/private key encryption, the answer is no.
PubK1(PubK2(plain.text))=> encrypted.text. You must decrypt withPrivK2(PrivK1(encrypted.text)).However, if you use a symmetric stream cipher such as RC4, then you could change the order of the decryption (A xor B xor C = C xor B xor A). But that is not a public/private key algorithm obviously.
仅当加密算法表现为特定类型的数学群。大多数(全部?)块加密算法都不是这样的组。
This would only be true if the encryption algorithm behaved as a specific kind of mathematical group. Most (all?) block encryption algorithms are not such groups.
据我所知,这应该可以通过对 RSA 进行轻微修改来实现。但我不知道有什么工具可以真正做到这一点。
AFAIK this should be possible with slight modification to RSA. I do not know of any tool which can actually do it though.
不,它不起作用。很简单,您不能保证唯一的解密,因为一个模数比另一个模数大。
编辑:我假设这是 RSA。如果没有,那么我就必须考虑其他一些。
EDIT2:如果您总是愿意首先使用较小的模数,那么它确实有效。
No, it does not work. Very simply, you cannot guarantee unique decryption because one modulus is bigger than the other.
EDIT: I'm assuming this is RSA. If not, then I'd have to think about some of the others.
EDIT2: If you are always willing to use the smaller modulus first, then it does work.