Easy to understand and operate, and very popular. The name of the algorithm is named after the inventor: Ron Rivest, Adi.
Chamil and Leonard Aderman. However, the security of RSA has not been proved theoretically.
The security of RSA depends on the decomposition of large numbers. Both the public key and the private key are two large prime numbers (greater than 100
Decimal bit) function. The difficulty of inferring plaintext from one key and ciphertext is equivalent to decomposing two.
The product of large prime numbers.
Generation of key pairs. Choose two big prime numbers, p and Q. Calculate:
n = p * q
Then the encryption key E is randomly selected, and it is required that E and (p- 1) * (q- 1) are prime numbers. Finally, use the
Euclid algorithm calculates the decryption key d, which satisfies
e * d = 1(mod(p- 1)*(q- 1))
Where n and d are also coprime. Sum of the number e
N is the public key and d is the private key. Two prime numbers, P and Q, are no longer needed and should be discarded so that no one knows.
When encrypting information M (binary representation), firstly, M is divided into data blocks m 1, m2, ..., mi and block length s with equal length.
, of which 2 s
Ci = mi^e (modern) (a)
When decrypting, the following calculations are performed:
Mi = ci^d (modern) (b)
RSA can be used for digital signature, and the scheme is to sign with formulas (a) and (b).
Type verification. Considering the factors such as security and the large amount of M information, hash operation is usually done first.
Security of RSA.
The security of RSA depends on the decomposition of large numbers, but whether it is equivalent to the decomposition of large numbers has not been proved theoretically, because
Cracking for no reason
RSA must be decomposed into large numbers. Suppose there is an algorithm that does not need to decompose large numbers, and it can definitely be modified as
Is a large number decomposition algorithm. Currently, RSA
Some variants of this algorithm have been proved to be equivalent to large number decomposition. In any case, decomposing n is the most obvious attack method. at present
Now, people have been able to decompose more than 140 decimal prime numbers. Therefore, the modulus n
It must be larger, depending on the specific application.
The speed of RSA.
Because of the calculation of large numbers, the fastest case of RSA is 100 times slower than DES, whether it is software or hardware.
Implement. Speed has always been RSA's shortcoming. Generally speaking, it is only used to encrypt a small amount of data.
Selective ciphertext attack of RSA.
RSA is vulnerable to selective ciphertext attacks. Attackers usually disguise some information (
Blind), which is signed by the entity that owns the private key. Then, it can get the information it wants through calculation. in fact
The attack takes advantage of the same weakness, that is, the fact that the power keeps the multiplication structure of the input:
(XM) d = x d * m d model n
As mentioned earlier, this inherent problem comes from the most useful feature of public key cryptosystem-everyone can make
Use public key. But this problem can't be solved by algorithm, and there are two main measures: First, adopt a good public key protocol.
To ensure that the entity does not decrypt the information generated by other entities at will and knows nothing about itself.
Signature; The other is never to sign a file sent randomly by a stranger, and use a one-way Hash when signing.
function
Hash documents or use different signature algorithms at the same time. Several different types of attackers are mentioned in.
Law.
Common mode attack of RSA.
If there are modules in the system, but different people have different E and D, the system will be dangerous. The most common
The situation is that the same information is encrypted with different public keys. These public keys are modular and mutually prime, so the information does not need a private key.
Can be restored. Let p be plaintext, two encryption keys e 1 and e2, and public * * * modulus n, then:
C1= p e1module number
C2 = P^e2 Modern
If the cryptanalyst knows n, e 1, e2, C 1 and C2, he can get p.
Because e 1 and e2 are coprime, R and S can be found by Euclidean algorithm, which satisfies:
r * e 1 + s * e2 = 1
Assuming that R is negative, it is necessary to calculate C 1 (- 1) by Euclid algorithm, then
(c 1^(- 1))^(-r)* c2^s = p modn
In addition, there are several other ways to attack by using common mode. In short, if we know a pair of e and d with a given modulus,
, one is conducive to the attacker to decompose the modulus, and the other is conducive to the attacker to calculate other pairs of e' and d' without using
Modulus to be decomposed. There is only one solution, and that is not to enjoy the modulus n.
Small exponent attack of RSA. It's improved.
The suggestion of RSA speed is to let the public key e take a smaller value, which makes encryption easier and faster.
But it is not safe to do so, and the way to deal with it is to take larger values for e and d.
RSA algorithm is the first algorithm that can be used for both encryption and digital signature, and it is also easy to understand and operate. RSA is studying it.
The most widely studied public key algorithm, which has been put forward for nearly 20 years, has experienced the test of various attacks and has gradually become
It is recognized as one of the best public key schemes at present. Republic of South Africa (Republic of South Africa)
The security of RSA depends on the factorization of large numbers, but it is not proved theoretically that RSA decoding and factorization of large numbers are difficult.
Degree equivalence. That is, RSA's major defect is that it can't grasp its security performance in theory, and most cryptographers
People tend to think that factorization is not an NPC problem.
The main disadvantages of RSA are: a) It is very troublesome to generate the key, and it is difficult to complete it at one time due to the limitation of prime number generation technology.
A secret. B) The packet length is too long. To ensure security, n should be at least 600 bits.
Above, the operation cost is very high, especially the speed is slow, which is several orders of magnitude slower than the symmetric cryptographic algorithm; With the increase in the number of people
With the development of digital decomposition technology, this length is still increasing, which is not conducive to the standardization of data formats. Currently, setting (
Secure electronic transaction
In the protocol, CA is required to use a key with a length of 2048 bits, and other entities use a key with a length of 1024 bits.
DSS/DSA algorithm
Digital signature algorithm
(DSA) is a variant of the signature algorithm of Schnorr and ElGamal, and is regarded as DSS (digital signature) by NIST in the United States.
Standard Edition). The following parameters are applied in the algorithm:
Prime number with l bit length. L is a multiple of 64, ranging from 5 12 to1024;
Q: the prime factor of1of p-160;
G: g = h ((p- 1)/q) mod p, h satisfies H.
x:x & lt; Q and x are private keys;
Y: y = g x mod p, (p, q, g, y) is the public key;
H (x): one-way hash function. SHA (secure hash algorithm) is selected in DSS.
p,q,
G can be enjoyed by a group of users, but in practical application, the use of public modulus may bring some threats. Signature and
The verification protocol is as follows:
1.p generates random numbers k, k.
2.p calculate r = (g k mod p) mod q.
s = ( k^(- 1) (H(m) + xr)) mod q
The signature result is (m, r, s).
3. Calculate w = s (- 1) mod q during verification.
u 1 = ( H( m ) * w ) mod q
u2 = ( r * w ) mod q
V = ((g u1* y U2) module p) module q
If v = r, the signature is considered valid.
DSA is a discrete logarithm problem based on integer finite field, and its security is similar to RSA. An important feature of DSA
The point is made public with two prime numbers, so that when using other people's P and Q, you can confirm it even if you don't know the private key.
Whether it is random or tampered with. RSA algorithm doesn't work.
This article comes from CSDN blog.