background
Since the company recently organized some technology sharing, some students mentioned some asymmetric encryption algorithms during the sharing process, and the introduction of the functions of public keys and private keys was somewhat inappropriate , such as:
Private key encryption, public key decryption
I also searched for relevant content on the Internet and found that many netizens, even major domestic manufacturers and some overseas technical articles, use private key encryption (encrypt) and public key decryption in the RSA signature process. This statement It may be convenient to understand some details of digital signatures, but it may cause confusion about the two different concepts of encryption and signature. Below we will introduce RSA and its relationship between signature and encryption. Most of the following content is the translation of some reference content. These references The link to the content will also be placed at the end of the article. If you are interested, you can take a look.
RSA algorithm
This section will first introduce the RSA algorithm, but in order not to get us into mathematical details, we have abstracted some calculation methods.
In 1977, Rivest, Shamir, and Adelman discovered an algorithm that could be used for encryption, called the RSA algorithm:
R(x,k,n) = x^k (mod n)
The parameters x, k, and n are all integers, and their values can be very large. Among them, n is not important in the following discussion. For convenience, we ignore it and abbreviate it as R(x, k).
Along with the RSA algorithm, Rivest, Shamir, and Adelman also discovered a way to choose two keys K and k, which can be calculated as follows:
R(R(x,K),k) = x
R(R(x,k),K) = x
This algorithm means that the RSA algorithm can use a key K to process x into X, and can also use another key k to restore X to x, and vice versa. These are a brief introduction to RSA. As for how k and K are generated, we are not the focus of the discussion, so we will not introduce it in detail for the time being.
RSA encryption
According to the above RSA algorithm, we can use the public key K to establish an encryption scheme, and then use the private key k to decrypt
Enc(m; K) = R(m,K)
Dec(c; k) = R(c,k)
This is to encrypt a plain text message m, encrypt it using the RSA algorithm using the public key, and then decrypt it using the private key
The above is the RSA encryption algorithm introduced in textbooks, but in fact these are not all the content, because encryption using this version of the RSA algorithm is not safe and will receive many attacks. Here is an example:
- Suppose user A sends two messages m1 and m2, and then uses public key K_A to encrypt
c1 = Enc(m1; K) = R(m1,K) = m1^K (mod n)
c2 = Enc(m2; K) = R(m2,K) = m2^K (mod n)
- So what happens if m1 and m2 are the same plaintext message?
c1 = m^K mod n = c2(两条密文是一致的)
Therefore, the traditional Dolev-Yao attack model can observe the contents of plaintext m1 and m2 and their ciphertext on the network. If it is found that a certain ciphertext is consistent with the ciphertext of known content, it is equivalent to decryption. Well, a secure encryption scheme shouldn't be like this.
For more encryption schemes, check out these two books:
- [D. Boneh, A. Joux, and P. Nguyen. Why Textbook ElGamal and RSA Encryption are Insecure. In Proc. AsiaCrypt, 2000.]
- [J. Katz and Y. Lindell. Introduction to Modern Cryptography, section 10.4. Chapman & Hall/CRC, 2008.]。
In order to make this textbook version of RSA encryption more secure, we will preprocess the plaintext information m before using the RSA algorithm. Correspondingly, we will do some post-processing after using the RSA algorithm:
Enc(m; K) = R(pre(m),K)
Dec(c; k) = post(R(c,k))
There are some pre-processing and post-processing schemes, which are usually called padding schemes (not only padding is done internally, this naming is also slightly inappropriate). There is a commonly used padding scheme in RSA, called optimal non-optimal padding scheme. Optimal asymmetric encryption padding (OAEP) was invented by Bellare and Rogaway in 1994. In this scheme, OAEP preprocessing performs cryptographic hashing of an unpredictable temporary data (nonce) through exclusive OR (XOR). To prevent the above attacks we discovered.
Let’s take a closer look at the general content of OAEP:
OAEP preprocessing function:
OAEP-pre(m):
r = random nonce
X = (m || 00...0) XOR H(r) // 对 m 填充 0
Y = r XOR H(X)
output X || Y
OAEP post-processing function, used to restore pre-processed data:
OAEP-post(m'):
split m' into X || Y
r = Y XOR H(X)
(m || 00...0) = X XOR H(r)
output m
- The || symbol represents binary concatenation, H represents the cryptographic hash function, and XOR represents the exclusive OR operation.
Putting these together, we can get the RSA-OAEP encryption scheme:
Enc(m; K) = R(OAEP-pre(m),K)
Dec(c; k) = OAEP-post(R(c,k))
RSA-OAEP is secure against widely accepted definitions of security for encryption schemes. Of course, the "textbook" RSA mentioned above is not secure by this definition.
RSA digital signature
We can use the RSA function to try to establish a digital signature scheme that uses a public key K to verify the signature and a private key K to sign.
Sign(m; k) = R(m,k)
Ver(m; s; K) = R(s,K) == m
To sign a message m, just use the RSA function to generate a signature s based on the private key k. For verification, it is to use the public key and signature s to generate a result through the RSA function, and then compare whether the result is the same as the message content.
The main problem with this simple solution is this: the RSA function cannot accommodate parameters longer than the private key. Simply put, if the message is particularly long, it cannot be passed directly to the RSA function. In the encryption scheme, this problem is achieved through block encryption, while in the signature scheme, we achieve it through the cryptographic hash function.
Sign(m; k) = R(H(m),k)
Ver(m; s; K) = R(s,K) == H(m)
The above is a textbook description of RSA signature. It is more or less like this. You can think that the cryptographic hash function H is equal before and after processing by the R function, so that the signature can be verified. . The process of calling the RSA function in the signature is called "encryption" and "decryption" in many forums or articles. Adding quotation marks to these two words can make it easier for everyone to understand, but removing the quotation marks may cause confusion. , some people even think that when using RSA, the client's transmission to the server is public key encryption and private key decryption, and the server's transmission to the client is private key encryption and public key decryption. This understanding is wrong.
In the signature verification scheme, there is actually a slightly more complex pre-processing and post-processing scheme called PSS (probabilistic signature scheme). This can be considered a safe algorithm, but for the simple scheme above, I I have never heard of effective attack methods. If you are interested, you can learn more.
RSA encryption and RSA digital signature
Let's reiterate the above content. The content of the RSA signature scheme in the "textbook" is as follows:
Enc(m; K) = R(m,K)
Dec(c; k) = R(c,k)
Sign(m; k) = R(m,k)
Ver(m; s; K) = R(s,K) == m
In the same algorithm, these are the actual implementations
Enc(m; K) = R(OAEP-pre(m),K)
Dec(c; k) = OAEP-post(R(c,k))
Sign(m; k) = R(H(m),k)
Ver(m; s; K) = R(s,K) == H(m)
In light of the above, let's consider RAS signing and RSA decryption. Are the signature algorithm and decryption algorithm the same? In actual application scenarios, it is obviously different. Signature introduces a hash function H, and decryption introduces a post-processing function OAEP-post. In the signature, H is directly applied to the message content m, and then the RSA function is executed. During the decryption process, this RSA function is executed first, and then the OAEP-post post-processing function is executed. Similarly, RSA signature verification is obviously different from RSA encryption.
However, compare the similarities between RSA signature and RSA in another way: they both introduce the RSA function and a private key k as parameters. The same RSA signature verification and RSA encryption also introduce the RSA function and a public key. K as a parameter. In this way, you can see the algorithm described in the textbook.
Summarize
In the abstract world of textbooks, RSA signing and RSA decryption do exactly the same thing. But in the actual implementation process, they are not the same. Therefore, never use real-world RSA decryption to compute RSA signatures. In the best case, this implementation will break in a way that you can notice. In the worst case, this will introduce vulnerabilities that attackers can exploit.
There is also the description problem mentioned at the beginning of the article. For many asymmetric encryption algorithms, it is impossible to "encrypt" the private key and "decrypt" the public key. However, due to the particularity of the RSA algorithm, from a mathematical definition, it is possible to "encrypt" the private key and "decrypt" the public key. Therefore, we cannot mistakenly generalize RSA and conclude that any asymmetric encryption algorithm can be used as a digital signature algorithm. In addition to the RSA encryption algorithm having this characteristic, the ElGamal encryption algorithm also has this characteristic, but it is not a common phenomenon. From the purpose of encryption, encryption is to ensure that the data is not discovered by others, and the public key in RSA is available to anyone, which means that anyone can decrypt the content encrypted by the private key, which itself violates the principle of encryption. effect. Therefore, the private key can only be used for signing, and the public key can be used for signature verification.
Reference links:
https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php
https://crypto.stackexchange.com/questions/66770/understanding-public-key-and-private-key
https://crypto.stackexchange.com/questions/2123/rsa-encryption-with-private-key-and-decryption-with-a-public-key
https://blog.csdn.net/taolinke/article/details/6432228
https://copyfuture.com/blogs-details/20200401195558268g4s20sqvd2skzqp