1. padding mode
1.1 three common ways to fill
RSA encryption has three common fill patterns:RSA_PKCS1_PADDING, RSA_PKCS1_OAEP_PADDING, RSA_NO_PADDING。
Symmetric encryption algorithm DES, as AES, RSA algorithm is a block cipher algorithm (block cipher algorithm), always operating on a fixed-length block. But with AES etc. The difference is, block length is associated with the key length.
Each plaintext RSA encryption RSA fill pattern length is subject to restrictions, but each encryption block length RSA is the key length.
| Fill mode | Entry | Export | condition |
|---|---|---|---|
| RSA_PKCS1_PADDING | RSA key modulus must be long (Modulus) at least shorter than 11 bytes, i.e. RSA_size (rsa) - 11 | And as long as modulus | |
| RSA_PKCS1_OAEP_PADDING | rsa_siz A (RSA) - 41 | And as long as modulus | |
| RSA_NO_PADDING | RSA keys and can be as long die length, if the input plaintext is too long, must be cut, then filled | And as long as modulus |
1.2 encrypted under different modes maximum data length
- Padding in different modes, using the same key to encrypt length different maximum length data;
- In different key lengths, the same pattern can encrypt data padding maximum length or different;
Thus, the key length from the discussion of padding pattern may encrypt the maximum length is not rigorous.
Common key length There 1024bits, 2048bits, etc., can theoretically 1024 bits of encrypted key data of the maximum length of 1024 bits (i.e. 1024/8 = 128bytes). 2048bits key can encrypt data maximum length of 2048bits (2048/8 = 256bytes), but this is impossible to use RSA "textbook RSA" system in practical applications. RSA is often used in practical applications with filling techniques (padding), you can increase the security of RSA. Filling technology is not good, RSA will not be safe. For the following reasons:
- RSA encryption is determined, i.e., given a key, a particular plaintext always mapped to a specific ciphertext. An attacker can get some information from the plaintext ciphertext statistics.
- If the filling technique is relatively weak, then the smaller plaintext and the small public exponent e vulnerable to attack.
- RSA has a feature called ductility, if an attacker can convert one into another ciphertext ciphertext, children will lead this new ciphertext conversion of plaintext become known, this feature is not decrypted plaintext, and such a predictable way to manipulate the plaintext, such as: banking transaction system, according to a new ciphertext attacker, modify the data directly to the original amount of the ciphertext, can be modified in the case of the user and the recipient can not perceive.
So, fills technology related to the level of security of RSA. Optimal asymmetric filling (OAEP) is an excellent way of filling, corresponding to the above table RSA_PKCS1_OAEP_PADDING fill mode.