据我所知,Microsoft 的 RSA CSP 总是生成相同位长的伪素数。因此,如果密钥大小为 1024,则 P 和 Q 值似乎(?)保证各为 512 位?有谁确切知道事实是否如此?
我正在我自己的 RSA 实现和 Microsoft 的实现之间构建一个互操作性模块。就我而言,我在 P 和 P 之间建立了一个小的随机方差。 Q 值,因此对于 1024 位密钥,我最终可能会得到一个值是 506 位,另一个值是 518。在纯粹的实验基础上,如果我将方差锁定为 0(即 P 和 Q 值大小相等)——事情按照他们应该的方式工作,当我使大小变量 Microsoft RSA 对象在导入过程中响应“错误数据”时。
我正在寻找 Microsoft 强制执行相同密钥大小的确认,因此如果有人有任何相关信息,请
在有人有机会问为什么我必须实现自己的 RSA 提供程序之前发布:CryptoAPI 在多线程环境,它在 CryptoServiceProvider 调用上锁定机器密钥库;如果从多个线程访问,这意味着“找不到文件”(相当神秘)错误
对于那些关心的人,请查看此处:http://blogs.msdn.com/b/alejacma/archive/2007/12/03/rsacryptoserviceprovider-fails-when-used-with-asp-net.aspx
From what I can see, Microsoft's RSA CSP always generates identical bitlength pseudo prime numbers. So if the key size is 1024, the P and Q values seem to be (?) guaranteed to be 512 bits each? Does anyone know for sure if this, in fact, is the case?
I'm building an interoperability module between my own RSA implementation and Microsoft's. In my case I have built in a small random variance between P & Q values so for 1024 bit key I could end up with one value being 506 bits and the other 518. On purely experimental basis, if I lock the variance to 0 (i.e. the P & Q values are equal in size) -- Things work the way they should, I soon as I make the size variable Microsoft RSA object responds with "Bad Data" during import process.
I'm looking for a confirmation that Microsoft enforces equal key sizes, so if anyone has any information on it, please post
Before someone has a chance to ask why I had to implement my own RSA provider : CryptoAPI doesn't play nice in a multithreaded environment, it locks the machine keystore on CryptoServiceProvider calls; which means "File not found" (rather cryptic) errors if accessed from multiple threads
For those that care, take a look here: http://blogs.msdn.com/b/alejacma/archive/2007/12/03/rsacryptoserviceprovider-fails-when-used-with-asp-net.aspx
发布评论
评论(2)
Microsoft 的 RSA CSP 生成并使用私钥,可以按照 在此页面,看起来像这样:
因此 CSP 可以处理(特别是生成)的私钥必须具有以下属性:
从技术上讲,私有指数 d 有无限多个可能的值,对于
exponent1和exponent2也是如此,因为数学上最重要的是d 对 p-1 和 q-1 取模;建议接受稍长的私有指数部分,如果它们最终具有较低的汉明权重,因为这会带来一些性能优势。底线:上述格式不会让您这样做。密钥必须能够被 Microsoft 代码接受的其他特征(但在上面的描述中没有直接报告):
prime1) 必须大于第二个素数的数值(q,又名prime2)。因此,有许多 RSA 密钥对根据 RSA 标准,但不能由 Microsoft RSA CSP 代码处理。值得注意的是最后一个关于公共指数大小的约束:这意味着该约束比 CSP 更通用;如果您设置的 SSL 服务器的公钥(在其证书中)具有不适合 32 位的公共指数,则 Internet Explorer 将无法连接到它。
因此,在实践中,如果您生成 RSA 密钥对,则必须确保它们符合上述规则。不要担心:据我们所知,这些规则不会降低安全性。
Microsoft's RSA CSP generates and uses private keys which it can export and import in the format described on this page, and looks like this:
So private keys that the CSP can handle (and in particular generate) must have the following properties:
Technically, there are infinitely many possible values for the private exponent d, and similarly for
exponent1andexponent2because all that mathematically matters are the value of d modulo p-1 and q-1; it has been suggested to accept slightly longer private exponent parts if they end up with a lower Hamming weight, because this would lead to some performance benefits. Bottom-line: the format described above will not let you do that.Other characteristics that the key must have to be acceptable to Microsoft's code (but not directly reported in the description above):
prime1) must be greater than the numerical value of the second prime (q, akaprime2).rsapubkeyfield) must fit in a 32-bit integer (unsigned).Therefore there are many RSA key pairs which are nominally valid as per the RSA standard, but which cannot be handled by Microsoft RSA CSP code. Noteworthy is the last constraint, on the public exponent size: this means that the constraint is more general than just the CSP; if you setup a SSL server where the server's public key (in its certificate) has a public exponent which does not fit in 32 bits, then Internet Explorer will not be able to connect to it.
So, in practice, if you generate RSA key pairs, you will have to make sure that they comply with the rules above. Do not worry: to the best of our knowledge, these rules do not lower security.
我自己的工作/实验,进行 Mono 的(托管)RSA 实现和单元测试,表明 Microsoft 实现导入 RSA 参数值时需要特定
byte[]大小。当人们使用 BigInteger 转换参数时,这也是一个常见的互操作性问题(有一些关于它的问题),因为它们通常比 MS 期望和需要的要小一些(例如少 1 个字节)是 0 填充的。
所以我很确定你可以填充较小的值以使 MS 接受它,但你可能无法让它接受更大的值。
My own work/experimentations, doing Mono's (managed) RSA implementation and unit tests, shows that Microsoft implementation requires specific
byte[]size when importing RSA parameter values.It's also a common interoperability issue (there are some SO questions about it) when people using BigInteger to convert their parameters since they often are a bit smaller (e.g. 1 byte less) than what MS expect and needs to be 0-padded.
So I'm pretty sure you can pad your smaller value to make MS accept it, but you'll likely not be able to make it accept a larger value.