RSA 签名大小?
我想知道RSA签名的长度是多少?它是否始终与 RSA 密钥大小相同,例如如果密钥大小为 1024,则 RSA 签名为 128 字节,如果密钥大小为 512 位,则 RSA 签名为 64 字节?什么是 RSA 模数? 另外 RSA-sha1 是什么意思? 任何指点都非常感激。
I would like to know what is the length of RSA signature ? Is it always the same size as the RSA key size like if the key size is 1024 then RSA signature is 128 bytes , if the key size is 512 bits then RSA signature is 64 bytes ? what is RSA modulus ?
Also what does RSA-sha1 mean ?
Any pointers greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你是对的,RSA 签名大小取决于密钥大小,RSA 签名大小等于模数的长度(以字节为单位)。这意味着对于“n 位密钥”,生成的签名将恰好是 n 位长。尽管计算出的签名值不一定是 n 位,但结果将被填充以精确匹配 n 位。
现在其工作原理如下: RSA 算法基于 < a href="http://en.wikipedia.org/wiki/Modular_exponentiation" rel="nofollow noreferrer">模幂。对于这样的计算,最终结果是“正常”结果除以模数的余数。模算术在数论中发挥着重要作用。同余 (i) 的定义是
简单的例子 - 让 n = 2 且 k = 7,然后
7 实际上确实除以 0,除法的定义是
。对于 a = 7 且 b = 0,选择 n = 0。这意味着每个整数都可以整除 0,但也意味着同余可以展开为负数(这里不再赘述,这对 RSA 来说并不重要)。
所以要点是,同余原理扩展了我们对余数的天真的理解,模数是“模后的数字”,在我们的例子中,它是 7。由于给定模数,有无数个全等的数字,我们说将此作为同余类,并且通常选择一个代表(最小的同余整数> 0)进行计算,就像我们在讨论计算的“余数”时直观地所做的那样。
在 RSA 中,对消息 m 进行签名意味着用“私有指数”d 求幂,结果 r 是最小整数 >0 且小于模 n,因此
这意味着两件事
为了使签名恰好为 n 位长,需要应用某种形式的填充。比照。 PKCS#1 为有效选项。
第二个事实意味着大于 n 的消息必须通过将 m 分成几个 <= n 的块来进行签名,但这在实践中并没有这样做,因为它太慢了(模幂的计算成本很高),所以我们需要另一种方法来“压缩”我们的消息以小于 n。为此,我们使用加密安全哈希函数,例如您提到的 SHA-1。将 SHA-1 应用于任意长度的消息 m 将产生一个 20 字节长的“哈希”,小于 RSA 模数的典型大小,常见大小为 1024 位或 2048 位,即 128 或 256 字节,因此签名计算可以应用于任意消息。
这种散列函数的加密属性确保(理论上 - 签名伪造是研究界的一个大话题)除了暴力破解之外不可能伪造签名。
You are right, the RSA signature size is dependent on the key size, the RSA signature size is equal to the length of the modulus in bytes. This means that for a "n bit key", the resulting signature will be exactly n bits long. Although the computed signature value is not necessarily n bits, the result will be padded to match exactly n bits.
Now here is how this works: The RSA algorithm is based on modular exponentiation. For such a calculation the final result is the remainder of the "normal" result divided by the modulus. Modular arithmetic plays a large role in Number Theory. There the definition for congruence (≡) is
Simple example - let n = 2 and k = 7, then
7 actually does divide 0, the definition for division is
For a = 7 and b = 0 choose n = 0. This implies that every integer divides 0, but it also implies that congruence can be expanded to negative numbers (won't go into details here, it's not important for RSA).
So the gist is that the congruence principle expands our naive understanding of remainders, the modulus is the "number after mod", in our example it would be 7. As there are an infinite amount of numbers that are congruent given a modulus, we speak of this as the congruence classes and usually pick one representative (the smallest congruent integer > 0) for our calculations, just as we intuitively do when talking about the "remainder" of a calculation.
In RSA, signing a message m means exponentiation with the "private exponent" d, the result r is the smallest integer >0 and smaller than the modulus n so that
This implies two things
To make the signature exactly n bits long, some form of padding is applied. Cf. PKCS#1 for valid options.
The second fact implies that messages larger than n would either have to be signed by breaking m in several chunks <= n, but this is not done in practice since it would be way too slow (modular exponentiation is computationally expensive), so we need another way to "compress" our messages to be smaller than n. For this purpose we use cryptographically secure hash functions such as SHA-1 that you mentioned. Applying SHA-1 to an arbitrary-length message m will produce a "hash" that is 20 bytes long, smaller than the typical size of an RSA modulus, common sizes are 1024 bits or 2048 bits, i.e. 128 or 256 bytes, so the signature calculation can be applied for any arbitrary message.
The cryptographic properties of such a hash function ensures (in theory - signature forgery is a huge topic in the research community) that it is not possible to forge a signature other than by brute force.