I've the task to transfer small binary messages (1 or 2 kb long) between a desktop application and mobile devices. The messages should be encrypted asymmetrically (RSA for instance). From what I've learned one should use a hybrid cryptosystem for this kind of task:
我的任务是在桌面应用程序和移动设备之间传输小的二进制消息(1或2 kb长)。消息应该是非对称加密的(例如RSA)。据我所知,应该使用混合密码系统来完成这种任务:
- Generate random symmetric key
- Encrypt plain text with symmetric key (using AES for instance)
- Encrypt symmetric key with public key
- Transmit cipher text and encrypted symmetric key
生成随机对称密钥
使用对称密钥加密纯文本(例如,使用AES)
使用公钥加密对称密钥
传输密文和加密的对称密钥
I'd like to not invent an own format for storing the cipher text and the encrypted symmetric key. So I stumbled over CMS standard (Cryptographic message syntax). At the first glance it looks exactly like what I need. If I understood the standard correctly it embeds the cipher text and the encrypted symmetric key as well as information about the used algorithms.
我不想发明一种自己的格式来存储密文和加密的对称密钥。所以我偶然发现了CMS标准(加密消息语法)。乍一看它看起来就像我需要的一样。如果我正确理解了标准,它会嵌入密文和加密的对称密钥以及有关所用算法的信息。
Can anybody say whether one should use the CMS standard for the outlined task? Does OpenSSL's CMS support is sufficient for my needs?
任何人都可以说是否应该使用CMS标准来完成概述的任务? OpenSSL的CMS支持是否足以满足我的需求?
Cheers, Christian
1 个解决方案
#1
CMS definitely supports the operation sequence you're looking for. On the downside, both the CMS format itself and the OpenSSL API for it are rather complex.
CMS绝对支持您正在寻找的操作顺序。在缺点方面,CMS格式本身和OpenSSL API都相当复杂。
One minor wrinkle is CMS mostly operates in terms of X.509 certificates rather than public keys. You could deal with this in your system either by actually rolling out a PKI, or just using self-signed certificates (which are basically equivalent to passing around bare RSA keys, but have the advantage of being a generic format for binding the key and metadata which is sometimes quite useful to have anyway).
一个小的皱纹是CMS主要使用X.509证书而不是公钥。您可以通过实际推出PKI或仅使用自签名证书(基本上相当于传递裸RSA密钥,但具有绑定密钥和元数据的通用格式)在系统中处理此问题。无论如何,这有时非常有用)。
OpenSSL has next to no documentation of the CMS API; the best reference for it I could find is cms.c in the apps/ directory of the OpenSSL source distribution; the code is structured as one 1000 line main function, which is a little disturbing, but it does perform encryption with a public key so you can probably use that as a guide.
OpenSSL几乎没有CMS API的文档;我能找到的最佳参考是OpenSSL源代码发行版的apps /目录中的cms.c;代码被构造为一个1000行主要功能,这有点令人不安,但它确实使用公钥执行加密,因此您可以将其用作指南。
#1
CMS definitely supports the operation sequence you're looking for. On the downside, both the CMS format itself and the OpenSSL API for it are rather complex.
CMS绝对支持您正在寻找的操作顺序。在缺点方面,CMS格式本身和OpenSSL API都相当复杂。
One minor wrinkle is CMS mostly operates in terms of X.509 certificates rather than public keys. You could deal with this in your system either by actually rolling out a PKI, or just using self-signed certificates (which are basically equivalent to passing around bare RSA keys, but have the advantage of being a generic format for binding the key and metadata which is sometimes quite useful to have anyway).
一个小的皱纹是CMS主要使用X.509证书而不是公钥。您可以通过实际推出PKI或仅使用自签名证书(基本上相当于传递裸RSA密钥,但具有绑定密钥和元数据的通用格式)在系统中处理此问题。无论如何,这有时非常有用)。
OpenSSL has next to no documentation of the CMS API; the best reference for it I could find is cms.c in the apps/ directory of the OpenSSL source distribution; the code is structured as one 1000 line main function, which is a little disturbing, but it does perform encryption with a public key so you can probably use that as a guide.
OpenSSL几乎没有CMS API的文档;我能找到的最佳参考是OpenSSL源代码发行版的apps /目录中的cms.c;代码被构造为一个1000行主要功能,这有点令人不安,但它确实使用公钥执行加密,因此您可以将其用作指南。