This paper introduces the key length, clear text length and ciphertext length that must be taken into account in RSA plus decryption, and for the first time developers of RSA, RSA is a more complicated algorithm, and the complexity of RSA is because mathematicians take efficiency and security into account.
In this paper, we talk about the concept of key length, plaintext length and cipher length, RSA theory and examples. Referring to the key, we have to mention RSA's three important large numbers: Public key exponent E, private key exponent D and modulo value N. These three large numbers are the direct contact we need to use RSA, understand the basic concept of this article, even if the developers who have not contacted RSA can handle the use of the RSA correlation function library freely, do not need to have a deep understanding of how E, D, n is generated, just need to know how to use and pay attention to what.
One, the key length
1. Who does the key refer to?
First of all, who do we mean by "key"? Since the RSA key is distributed (public key + modulo value), (private key + modulo value), it is useless to give each other a public or private key separately, so we say "key" is actually one of them. But the "key length" we're talking about is generally just the bit length of the modulo value. Current mainstream selectable values: 1024, 2048, 3072, 4096 ...
2. What is the main length of the model value?
At present, the main key length is at least 1024bits, and the key below 1024bit is not recommended (security issue). So where's the cap? There is no limit, most can be used. Therefore, the mainstream modulus is 1024 bits, the actual operation results may be slightly less than 1024bits, note that this value is not absolute, with the prime number of the generation algorithm has a relationship, just tell the prime number generator "help me to generate a near 1024-bit prime number only", and then the generator "good, give you A, This is almost 1024. "
Prime number generator so powerful? Say that generating 1024 bits will give a large integer of 1024 bits? The real situation is that the prime number generator is also only in the 1024bits corresponding to the integer near the "groping" just, we are not easy, but also fast and accurate and random, then the prime number generator can only cope with, found 1024 is good luck, did not find 1024, 1023-bit also sent out:).
3, how to determine the public key index?
The public key index is optional, but the current industry public key index is generally selected 65537 (0x10001,5bits), the value is the smallest number except 1, 3, 5, 17, 257, why not choose a larger one? Of course, just consider the need to meet the relative security, but also want to calculate a little faster (encryption), pkcs#1 a recommended value.
Intentionally the public key index selected smaller, but the corresponding private key index is certainly very large, the intention is also very clear, we have to use public key encryption, so everyone time is precious, need to quickly, you a person private key decryption, time a little more magnanimous, a few obey most typical application.
4, how to determine the private key index?
If the public key index is arbitrarily selected, then the private key can no longer be chosen arbitrarily, only according to the algorithm formula (ed%k=1,k= (p-1) (Q-1)) to operate out. So how many bits will the private key index be? According to the ED relationship, the private key d= (x*k+1)/E, so single look at this formula, the private key index does not seem to be the only result, may or may be less than 1024bits, but we are accustomed to refer to a large integer less than 1024bits.
Including the public key index, in the actual operation and storage for convenience is generally in accordance with the standard bit length of use, the front part of the 0 padding, so the use of saving and converting these keys need to pay attention to the length of the uniform buffer.
ii. length of plaintext
On-line text length is less than or equal to the key length (Bytes)-11, which is not very accurate, it will give people feel RSA 1024 can only encrypt 117 bytes length plaintext. In fact, the RSA algorithm itself requires that the content of the encryption is the plaintext length m must be 0<m<n, that is, the content of this large integer can not exceed N, or error. So what if m=0 is the result? Universal RSA encryption directly returns all 0 results. If m>n, the operation will be wrong?! So what? And listen to the following decomposition.
Therefore, RSA actually can encrypt the length of the plaintext is the largest is 1024bits, but the problem is:
What if it's less than this length? Need to be padding, because if there is no padding, the user can not accurately decompose the true length of the content, the string and other content problems are not small, with 0 as the Terminator, but the binary data is difficult to understand, because it is not certain that the next 0 is the content or the content terminator.
As long as the use of padding, then to occupy the actual length of the plaintext, so there is 117 bytes of the argument. We generally use the padding standard has noppadding, oaeppadding, pkcs1padding, etc., of which pkcs#1 recommended padding takes up 11 bytes.
What if it's larger than this length? Many of the algorithms padding tend to be in the back, but the PKCS padding is in the front, intentionally designed, intentionally placing the first byte at 0 to ensure that the value of M is less than N.
Thus, 128 bytes (1024bits)-minus 11 bytes is exactly 117 bytes, but for RSA encryption, padding is also involved in encryption, so, still follow the 1024bits to understand, but the actual plaintext only 117 bytes.
Reference to the PKCS#1 padding specification: RFC2313 Chapter 8.1, before we send the plaintext to the RSA cipher, we want to confirm that this value is greater than N, that is, if it is close to n bits long, then you need to padding and then fragment encryption. Unless we are "fixed-length quantitative self-controllable and understandable" encryption does not require padding.
third, the length of ciphertext
Ciphertext length is given to meet the conditions of the plaintext encryption result bit length, this can be determined that the encrypted ciphertext bit length is the same as the key bits, because the encryption formula:
C= (p^e)%n
Therefore, the C maximum is n-1, so it is not possible to exceed the number of n digits. Although the number of bits may be less than N, but from the transmission and storage angle, it is still in accordance with the standard bit length, so, even if we encrypt a byte of clear text, the result of the operation will be used in accordance with the standard bit length (of course, unless we can take steps to distinguish the real bit length, generally not considered).
As for the clear-text shard multiple encryption, the natural ciphertext length has multiplied, but has not belonged to one time encryption question, cannot put together to consider.
SA key length, clear text length, and ciphertext length