Bouncy Castle 使用轻量级 API 生成 RSA 密钥对
令人惊讶的是,网上关于使用 Bouncy Castle 轻量级 API 的信息非常少。环顾了一段时间后,我能够整理出一个基本的例子:
RSAKeyPairGenerator generator = new RSAKeyPairGenerator();
generator.init(new RSAKeyGenerationParameters
(
new BigInteger("10001", 16),//publicExponent
SecureRandom.getInstance("SHA1PRNG"),//prng
1024,//strength
80//certainty
));
AsymmetricCipherKeyPair keyPair = generator.generateKeyPair();
我对 RSA 和幕后发生的数学有基本的了解,所以我明白什么是 publicExponent 和 strength< /代码> 是。我推测 publicExponent 指的是 phi(pq) 的互质数,据我所知,只要使用适当的填充,它就可以很小(例如 3)。但是,我不知道确定性指的是什么(有些地方提到它可能指的是百分比,但我想确定一下)。 SecureRandom 的使用是不言自明的。 RSAKeyGenerationParameters 的文档完全毫无价值(这并不奇怪)。我唯一的猜测是它与生成的密钥的准确性有关,但我想再次确定一下。所以我的问题是 certainty 和 publicExponent 的适当值是多少?
聚苯乙烯 请不要回复“这取决于上下文 - 您希望信息的安全程度”。假设最高程度的安全性(即 4096 位 RSA 密钥或更高)是相当安全的,除非另有说明...我也很感激提供使用 Bouncy Castle 的轻量级 API 的良好示例的来源链接(我不在所有对 JCA 实施或任何与之相关的示例感兴趣的人)。
Surprisingly enough there's very little information on the Web about using Bouncy Castle's lightweight API. After looking around for a while I was able to put together a basic example:
RSAKeyPairGenerator generator = new RSAKeyPairGenerator();
generator.init(new RSAKeyGenerationParameters
(
new BigInteger("10001", 16),//publicExponent
SecureRandom.getInstance("SHA1PRNG"),//prng
1024,//strength
80//certainty
));
AsymmetricCipherKeyPair keyPair = generator.generateKeyPair();
I have a basic understanding of RSA and the math that happens behind the scenes, so I understand what publicExponent and strength are. I presume publicExponent refers to a coprime of phi(pq) and from what I gather it can be small (like 3) as long as appropriate padding is used. However, I have no idea what certainty refers to (some place mentioned that it might refer to a percentage but I want to be sure). The use of SecureRandom is self-explanatory. The documentation of RSAKeyGenerationParameters is completely worthless (no surprise there). My only guess is that it has something to do with the accuracy of the generated keys, but again I want to be sure. So my question is what are appropriate values for certainty and publicExponent?
P.S.
Please don't reply with "it depends on the context - how secure you want the information to be". It's pretty safe to assume highest degree of security (i.e. 4096-bit RSA key or greater) unless otherwise specified... I would also appreciate links to sources that give good example of the use of Bouncy Castle's Lightweight API (I'm not at all interested in the JCA implementation or any examples pertaining to it).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您对两者都使用了正确的值。
publicExponent 应该是一个费马数。 0x10001 (F4) 是当前推荐值。 3 (F1) 也被认为是安全的。
RSA 密钥生成需要素数。然而,不可能产生绝对素数。与任何其他加密库一样,BC 使用可能的素数。确定性表明您希望该数字为素数的确定程度。任何高于 80 的值都会大大减慢密钥生成速度。
请注意,即使素数不是真正的素数,RSA 算法仍然有效,因为 BC 会检查相对素数。
You are using correct values for both.
The publicExponent should be a Fermat Number. 0x10001 (F4) is current recommended value. 3 (F1) is known to be safe also.
The RSA key generation requires prime numbers. However, it's impossible to generate absolute prime numbers. Like any other crypto libraries, BC uses probable prime numbers. The certainty indicate how certain you want the number to be prime. Anything above 80 will slow down key generation considerably.
Please note that RSA algorithm still works in the unlikely event that the prime number is not true prime because BC checks for relative primeness.
我必须深入研究他们的源代码才能“确定”,但我相信
certainty参数直接传递到BigInteger构造函数,其中表示:“新BigInteger表示素数的概率将超过 (1 - 1/2确定性)。此构造函数的执行时间与该参数的值。”因此,如果值为 80,则 280 中该数字不是素数的机会小于 1。该评论表明质数生成时间与此参数呈线性关系,但您应该测试它以确定是否选择增加它。使用与您正在使用的密钥大小一致的值可能是有意义的。例如,NIST 表示 1024 位 RSA 密钥与 80 位对称密钥一样强大。对于 2048 位 RSA 密钥,您可能希望使用 112 位的确定性(等效强度对称密钥大小),依此类推。
听起来您似乎意识到在特殊情况下使用 3 作为公共指数的漏洞。现在几乎普遍使用值 65537。
I'd have to delve into their source code to be "certain", but I believe that the
certaintyparameter is passed straight to theBigIntegerconstructor, which says, "The probability that the newBigIntegerrepresents a prime number will exceed (1 - 1/2certainty). The execution time of this constructor is proportional to the value of this parameter."So, with a value of 80, there is less than 1 chance in 280 that the number will not be prime. The comment suggests that the prime number generation time is linear with respect to this parameter, but you should test that to be sure if you choose to increase it. It might make sense to use a value that is consistent with the key size you are using. For example, NIST says that a 1024-bit RSA key is as strong as an 80-bit symmetric key. For a 2048-bit RSA key, you might want to use a certainty of 112 bits (the equivalent strength symmetric key size), and so on.
It sounds like you are aware of the vulnerability of using 3 as the public exponent in special cases. The value 65537 is used almost universally now.
FIPS PUB 186-3 是一个很好的参考。特别是,附录 B 第 3 节有许多安全参数,以及素数生成算法。
确定性是 Miller-Rabin 素性测试的迭代次数。A good reference is FIPS PUB 186-3. In particular, appendix B section 3 has many security parameters, as well as prime generation algorithms.
certaintyis the number of iterations of the Miller-Rabin primality test.请参阅 crypto.stackexchange.com 上的此答案,了解有关如何计算确定性值的更多信息。
Paŭlo Ebermann 的回答预览:
See this answer on crypto.stackexchange.com for more information on how your value of certainty should be calculated.
Preview of Paŭlo Ebermann's answer: