Surprisingly enough there's very little information on the Web about using Bouncy Castle's lightweight API. After looking around for a while I was able to put together a basic example:
令人惊讶的是,网上关于使用Bouncy Castle的轻量级API的信息非常少。环顾四周后,我能够把一个基本的例子放在一起:
RSAKeyPairGenerator generator = new RSAKeyPairGenerator();
generator.init(new RSAKeyGenerationParameters
(
new BigInteger("10001", 16),//publicExponent
SecureRandom.getInstance("SHA1PRNG"),//prng
1024,//strength
80//certainty
));
AsymmetricCipherKeyPair keyPair = generator.generateKeyPair();
I have a basic understanding of RSA and the math that happens behind the scenes, so I understand what publicExponent and strength are. I presume publicExponent refers to a coprime of phi(pq) and from what I gather it can be small (like 3) as long as appropriate padding is used. However, I have no idea what certainty refers to (some place mentioned that it might refer to a percentage but I want to be sure). The use of SecureRandom is self-explanatory. The documentation of RSAKeyGenerationParameters is completely worthless (no surprise there). My only guess is that it has something to do with the accuracy of the generated keys, but again I want to be sure. So my question is what are appropriate values for certainty and publicExponent?
我对RSA和幕后发生的数学有基本的了解,所以我理解了publicExponent和strength是什么。我认为publicExponent指的是phi(pq)的互质,并且从我收集的它可以是小的(如3),只要使用适当的填充。但是,我不知道确定性是指什么(某些地方提到它可能指的是一个百分比,但我想确定)。 SecureRandom的使用是不言自明的。 RSAKeyGenerationParameters的文档完全没有价值(毫不奇怪)。我唯一的猜测是它与生成的键的准确性有关,但我想再次确定。所以我的问题是什么是确定性和publicExponent的适当值?
P.S. Please don't reply with "it depends on the context - how secure you want the information to be". It's pretty safe to assume highest degree of security (i.e. 4096-bit RSA key or greater) unless otherwise specified... I would also appreciate links to sources that give good example of the use of Bouncy Castle's Lightweight API (I'm not at all interested in the JCA implementation or any examples pertaining to it).
附:请不要回答“这取决于具体情况 - 您希望信息的安全性”。假设最高程度的安全性(即4096位RSA密钥或更高)是非常安全的,除非另有说明......我也非常感谢链接,这些链接提供了使用Bouncy Castle的轻量级API的良好示例(我不是所有对JCA实施感兴趣或任何与之相关的例子)。
4 个解决方案
#1
10
You are using correct values for both.
您正在为两者使用正确的值。
The publicExponent should be a Fermat Number. 0x10001 (F4) is current recommended value. 3 (F1) is known to be safe also.
publicExponent应该是费马数。 0x10001(F4)是当前推荐值。已知3(F1)也是安全的。
The RSA key generation requires prime numbers. However, it's impossible to generate absolute prime numbers. Like any other crypto libraries, BC uses probable prime numbers. The certainty indicate how certain you want the number to be prime. Anything above 80 will slow down key generation considerably.
RSA密钥生成需要素数。但是,生成绝对素数是不可能的。与任何其他加密库一样,BC使用可能的素数。确定性表明你希望这个数字是多么肯定。高于80的任何东西都会大大降低密钥生成速度。
Please note that RSA algorithm still works in the unlikely event that the prime number is not true prime because BC checks for relative primeness.
请注意,RSA算法仍然适用于质数不是真素数的不太可能的事件,因为BC检查相对质数。
#2
8
I'd have to delve into their source code to be "certain", but I believe that the certainty parameter is passed straight to the BigInteger constructor, which says, "The probability that the new BigInteger represents a prime number will exceed (1 - 1/2certainty). The execution time of this constructor is proportional to the value of this parameter."
我必须深入研究他们的源代码是“确定的”,但我相信确定性参数会直接传递给BigInteger构造函数,该构造函数说:“新BigInteger表示素数的概率将超过(1 - 1 / 2certainty)。此构造函数的执行时间与此参数的值成比例。“
So, with a value of 80, there is less than 1 chance in 280 that the number will not be prime. The comment suggests that the prime number generation time is linear with respect to this parameter, but you should test that to be sure if you choose to increase it. It might make sense to use a value that is consistent with the key size you are using. For example, NIST says that a 1024-bit RSA key is as strong as an 80-bit symmetric key. For a 2048-bit RSA key, you might want to use a certainty of 112 bits (the equivalent strength symmetric key size), and so on.
因此,当值为80时,280中的机会少于1,该数字将不是素数。注释表明素数生成时间相对于此参数是线性的,但您应该测试以确定是否选择增加它。使用与您正在使用的密钥大小一致的值可能是有意义的。例如,NIST表示1024位RSA密钥与80位对称密钥一样强。对于2048位RSA密钥,您可能希望使用112位的确定性(等效强度对称密钥大小),依此类推。
It sounds like you are aware of the vulnerability of using 3 as the public exponent in special cases. The value 65537 is used almost universally now.
听起来你知道在特殊情况下使用3作为公共指数的漏洞。现在几乎普遍使用值65537。
#3
3
A good reference is FIPS PUB 186-3. In particular, appendix B section 3 has many security parameters, as well as prime generation algorithms.certainty is the number of iterations of the Miller-Rabin primality test.
一个很好的参考是FIPS PUB 186-3。特别是,附录B第3节有许多安全参数,以及素数生成算法。确定性是Miller-Rabin素数检验的迭代次数。
#4
2
See this answer on crypto.stackexchange.com for more information on how your value of certainty should be calculated.
有关如何计算确定性值的更多信息,请参阅crypto.stackexchange.com上的此答案。
Preview of Paŭlo Ebermann's answer:
预览PaŭloEbermann的回答:
Certainty of x bits means that the probability that something (in this case p being prime) not being true is smaller than 2−x. This is the same probability as guessing a random x-bit value correctly on the first try, hence the name.
x位的确定性意味着某事物(在这种情况下p为素数)不为真的概率小于2-x。这与在第一次尝试时正确猜测随机x位值的概率相同,因此得名。
How to select x? We want the probability of p (and q) not being prime to be small enough that a failure probability in this point is not larger than other ways the system could be broken - like guessing a symmetric key, factoring the modulus etc.
如何选择x?我们希望p(和q)不是素数的概率足够小,以至于此点的失败概率不大于系统可能被破坏的其他方式 - 比如猜测对称密钥,分解模数等。
So here a correspondence table of symmetric and asymmetric key sizes should help. http://www.keylength.com/ Pick the same prime certainty as you would pick an symmetric key size accompanying your public key usage.
所以这里对称和非对称密钥大小的对应表应该有所帮助。 http://www.keylength.com/选择与您使用公钥时选择对称密钥大小相同的主要确定性。
#1
10
You are using correct values for both.
您正在为两者使用正确的值。
The publicExponent should be a Fermat Number. 0x10001 (F4) is current recommended value. 3 (F1) is known to be safe also.
publicExponent应该是费马数。 0x10001(F4)是当前推荐值。已知3(F1)也是安全的。
The RSA key generation requires prime numbers. However, it's impossible to generate absolute prime numbers. Like any other crypto libraries, BC uses probable prime numbers. The certainty indicate how certain you want the number to be prime. Anything above 80 will slow down key generation considerably.
RSA密钥生成需要素数。但是,生成绝对素数是不可能的。与任何其他加密库一样,BC使用可能的素数。确定性表明你希望这个数字是多么肯定。高于80的任何东西都会大大降低密钥生成速度。
Please note that RSA algorithm still works in the unlikely event that the prime number is not true prime because BC checks for relative primeness.
请注意,RSA算法仍然适用于质数不是真素数的不太可能的事件,因为BC检查相对质数。
#2
8
I'd have to delve into their source code to be "certain", but I believe that the certainty parameter is passed straight to the BigInteger constructor, which says, "The probability that the new BigInteger represents a prime number will exceed (1 - 1/2certainty). The execution time of this constructor is proportional to the value of this parameter."
我必须深入研究他们的源代码是“确定的”,但我相信确定性参数会直接传递给BigInteger构造函数,该构造函数说:“新BigInteger表示素数的概率将超过(1 - 1 / 2certainty)。此构造函数的执行时间与此参数的值成比例。“
So, with a value of 80, there is less than 1 chance in 280 that the number will not be prime. The comment suggests that the prime number generation time is linear with respect to this parameter, but you should test that to be sure if you choose to increase it. It might make sense to use a value that is consistent with the key size you are using. For example, NIST says that a 1024-bit RSA key is as strong as an 80-bit symmetric key. For a 2048-bit RSA key, you might want to use a certainty of 112 bits (the equivalent strength symmetric key size), and so on.
因此,当值为80时,280中的机会少于1,该数字将不是素数。注释表明素数生成时间相对于此参数是线性的,但您应该测试以确定是否选择增加它。使用与您正在使用的密钥大小一致的值可能是有意义的。例如,NIST表示1024位RSA密钥与80位对称密钥一样强。对于2048位RSA密钥,您可能希望使用112位的确定性(等效强度对称密钥大小),依此类推。
It sounds like you are aware of the vulnerability of using 3 as the public exponent in special cases. The value 65537 is used almost universally now.
听起来你知道在特殊情况下使用3作为公共指数的漏洞。现在几乎普遍使用值65537。
#3
3
A good reference is FIPS PUB 186-3. In particular, appendix B section 3 has many security parameters, as well as prime generation algorithms.certainty is the number of iterations of the Miller-Rabin primality test.
一个很好的参考是FIPS PUB 186-3。特别是,附录B第3节有许多安全参数,以及素数生成算法。确定性是Miller-Rabin素数检验的迭代次数。
#4
2
See this answer on crypto.stackexchange.com for more information on how your value of certainty should be calculated.
有关如何计算确定性值的更多信息,请参阅crypto.stackexchange.com上的此答案。
Preview of Paŭlo Ebermann's answer:
预览PaŭloEbermann的回答:
Certainty of x bits means that the probability that something (in this case p being prime) not being true is smaller than 2−x. This is the same probability as guessing a random x-bit value correctly on the first try, hence the name.
x位的确定性意味着某事物(在这种情况下p为素数)不为真的概率小于2-x。这与在第一次尝试时正确猜测随机x位值的概率相同,因此得名。
How to select x? We want the probability of p (and q) not being prime to be small enough that a failure probability in this point is not larger than other ways the system could be broken - like guessing a symmetric key, factoring the modulus etc.
如何选择x?我们希望p(和q)不是素数的概率足够小,以至于此点的失败概率不大于系统可能被破坏的其他方式 - 比如猜测对称密钥,分解模数等。
So here a correspondence table of symmetric and asymmetric key sizes should help. http://www.keylength.com/ Pick the same prime certainty as you would pick an symmetric key size accompanying your public key usage.
所以这里对称和非对称密钥大小的对应表应该有所帮助。 http://www.keylength.com/选择与您使用公钥时选择对称密钥大小相同的主要确定性。