RSA 加密的结果是否保证是随机的
我使用 RSACryptoServiceProvider 来加密一些小数据块。对于我正在研究的解决方案,重要的是,如果使用相同的公钥对同一段源数据加密两次,则结果(加密的数据块)不相同。
我已经用一个例子对此进行了检查,它的效果正如我所希望的那样。我现在的问题是,这种行为是否是设计使然并得到保证的,或者我是否必须在源数据中添加一些随机部分以保证具有相同数据的数据块在加密后不再匹配。
下面是一个例子:
byte[] data=new byte[]{1,7,8,3,4,5};
RSACryptoServiceProvider encrypter = cert.PublicKey.Key as RSACryptoServiceProvider;
byte[] encryptedData = encrypter.Encrypt(data,true);
// encryptedData has always other values in, although the source data is always
// 1,7,8,3,4,5 and the certificate is always the same (loaded from disk)
具体问题是针对 .net 的,但如果是设计使然的话,也许可以为所有 RSA 实现给出一般性的答案?
I use RSACryptoServiceProvider to encrypt some small blocks of data. For the solution I'm working on, it's important that if the same piece of source data is encrypted twice with the same public key, the result (the encrypted block of data) is not the same.
I have checked this with an example and it worked like I hoped. My question is now, if this behaviour is by design and guaranteed or if I have to add some random part to the source data for guaranteeing that data blocks with the same data can not be matched anymore after encryption.
Here is the example:
byte[] data=new byte[]{1,7,8,3,4,5};
RSACryptoServiceProvider encrypter = cert.PublicKey.Key as RSACryptoServiceProvider;
byte[] encryptedData = encrypter.Encrypt(data,true);
// encryptedData has always other values in, although the source data is always
// 1,7,8,3,4,5 and the certificate is always the same (loaded from disk)
The concrete question is for .net but maybe the answer can be given in general for all RSA-implementations if it is by design?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
教科书上的RSA加密算法是确定性的:(
这里
^是整数求幂,mod是余数运算。)但是正如您所说,这并不能提供良好的安全保证,作为可以猜测明文的攻击者可以通过自己加密并比较结果来简单地验证这个猜测。
因此,官方 RSA 规范(以及实践中使用的所有实现)包含一些(部分随机)填充,因此我们实际上并不加密
plaintext,而是pad(plaintext)< /code>:解密:
只有有了这个填充,RSA实际上才是一种安全的加密方案。
类似的填充也用于 RSA 签名,以避免轻易伪造签名。
The text-book RSA encryption algorithm is deterministic:
(Here
^is integer exponentiation,modthe remainder operation.)But as you remarked, this does not provide a good security guarantee, as an attacker which can guess the plaintext can simply verify this guess by encrypting it himself and comparing the results.
For this reason, the official RSA specifications (and also all implementations used in practice) include some (partly random) padding, so we don't actually encrypt
plaintext, butpad(plaintext):Decryption:
Only with this padding RSA is actually a secure encryption scheme.
A similar padding is also used for RSA signatures, to avoid easy forging of signatures.