openssl rsa OAEP每次加密结果不一样

asdmonster

非常简单的程序,从pem文件读入证书,然后用公钥加密,如果采用其它的padding方式,结果每次都一样,但是如果用RSA_PKCS1_OAEP_PADDING,每次运行的结果都不一样,这是为啥?

代码片断:

1.         pubKey = X509_get_pubkey( x);               
   
2.         ctx = EVP_PKEY_CTX_new( pubKey, 0);
   
3.         EVP_PKEY_encrypt_init(ctx);
   
4.         EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
   
5.         out = OPENSSL_malloc(outlen);
   
6.         EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen);
   
7.        
   
8.         fprintf( stdout,"\r\n");
   
9.         for( i = 0;i<outlen;i++){
   
10.                 fprintf( stdout,"%d,",out[i]);
    
11.         }

复制代码

求指点.

shan_ghost

因为EME_OAEP本身就是随机填充。理论上它会更安全一些。

假如用某个固定值，比如0，来填充的话，那么攻击者就相当于知道了你的明文的最后几个字节的内容。虽然目前尚未找到任何通过“选择明文攻击”来对付RSA的可能，但毕竟是提供了一个基础。

填充成随机信息的话，就可以提前堵上这条路。

The EME-OAEP encoding operation introduces some randomness (20 octets in the case of SHA-1),
so that different applications of the encoding operation to the same message will produce different
encoded messages. Furthermore, a deterministic padding operation including the hash of the
encoding parameters is applied to the message to be encoded. In this manner, the encoded message
will have some structure that can be verified by the decoding operation. For example, the decoding
operation is able to extract the hash of the encoding parameters from the encoded message.

asdmonster

shan_ghost 发表于 2013-12-11 12:24
因为EME_OAEP本身就是随机填充。理论上它会更安全一些。

假如用某个固定值，比如0，来填充的话，那么攻击 ...

感谢,但是:最后几个随机填充数,解密的时候怎么解密啊?

当然,我现在遇到的问题实际上是这样的:
同一个证书,同样的rsa算法,用pc java jdk, android jdk, c (openssl)出来的结果都不一样(所以结果也就没法彼此解密),我现在都不知道该设置哪些参数来保证他们一样....

还请指点一下.

shan_ghost

asdmonster 发表于 2013-12-11 12:39
感谢,但是:最后几个随机填充数,解密的时候怎么解密啊?

当然,我现在遇到的问题实际上是这样的:

OAEP文档有说明，不同的应用加密的结果的确是不同的；但解密时，因为随机种子其实是写在加密结果里的，所以可以直接还原：

1.3.1
OAEP encoding operation
EME-OAEP-Encode(M, P, emLen)
Options:
Hash
hash function (hLen denotes the length in octets of the hash function output)
M GF mask generation function
Input:
M message to be encoded, an octet string of length at most emLen − 1 − 2hLen
     (mLen denotes the length in octets of the message)
P encoding parameters, an octet string
9
RSA-OAEP Encryption Scheme / Chapter 1
10
emLen intended length in octets of the encoded message, at least 2hLen + 1
Output: EM
encoded message, an octet string of length emLen
Errors: ‘‘message too long’’; ‘‘parameter string too long’’
1. If the length of P is greater than the input limitation for the hash function (261 − 1 octets for
    SHA-1) then output ‘‘parameter string too long’’ and stop.
2. If mLen > emLen − 2hLen − 1, output ‘‘message too long’’ and stop.
3. Generate an octet string P S consisting of emLen − mLen − 2hLen − 1 zero octets. The length of
        PS may be 0.
4. Let pHash = Hash(P ), an octet string of length hLen.
5. Concatenate pHash, P S , the message M , and other padding to form a data block DB as
  DB = pHash P S 01 M .
6. Generate a random octet string seed of length hLen.
7. Let dbMask = M GF (seed , emLen − hLen).
8. Let maskedDB = DB ⊕ dbMask.
9. Let seedMask = M GF (maskedDB, hLen).
10. Let maskedSeed = seed ⊕ seedMask.
11. Let EM = maskedSeed maskedDB.
12. Output EM .
Remark.
The EME-OAEP encoding operation is illustrated in Figure C.1 at the end of this
document.
1.3.2
OAEP decoding operation
EME-OAEP-Decode(EM, P )
Options:
Hash
hash function (hLen denotes the length in octets of the hash function output)
MGF mask generation function
Input:
EM
encoded message, an octet string of length at least 2hLen + 1 (emLen denotes the
length in octets of EM )
-
P encoding parameters, an octet string
Output: m recovered message, an octet string of length at most emLen − 1 − 2hLen
Errors: ‘‘decoding error’’
1. If the length of P is greater than the input limitation for the hash function (261 − 1 octets for
    SHA-1) then output ‘‘decoding error’’ and stop.
2. If emLen < 2hLen + 1, output ‘‘decoding error’’ and stop.
3. Let maskedSeed be the first hLen octets of EM and let maskedDB be the remaining emLen−hLen
    octets.
4. Let seedMask = M GF (maskedDB, hLen).
5. Let seed = maskedSeed ⊕ seedMask.
6. Let dbMask = M GF (seed , emLen − hLen).
7. Let DB = maskedDB ⊕ dbMask.
8. Let pHash = Hash(P ), an octet string of length hLen.
9. Separate DB into an octet string pHash’ consisting of the first hLen octets of DB , a (possibly
    empty) octet string P S consisting of consecutive zero octets following pHash’, and a message
     M as
    DB = pHash’ P S 01 M.
If there is no 01 octet to separate P S from M , output ‘‘decoding error’’ and stop.
10. If pHash’ does not equal pHash, output ‘‘decoding error’’ and stop.
11. Output M .
Remark.
The EME-OAEP decoding operation is illustrated in Figure C.2 at the end of this
document.

你的问题，原因应该不在这里。先看看调用的解密方法究竟对不对、给解密接口传入的pading方式、以及pading的版本号是否相同。

safedead

去RSA网站下载PKCS1.5的PDF仔细看，关于OAEP的详细说明

A.com

加密结果当然是随机的呀，不然很容易暴力破解的。

shan_ghost

现代加密算法，很多需要通过真随机数生成器先生成一个IV（初始化向量，似乎E文是initial vector？），然后才会继续加密的。

这个IV一般会直接保存在加密信息之前；解密时要先用IV初始化加密算法，然后才能正确解密。这也是为了保证每次加密的结果都不一样。