encryption - RSA-OAEP 与 RSA-PKCS1.5 的区别

Question

关闭。这个问题需要更多focused .它目前不接受答案。












想改善这个问题吗？更新问题，使其仅关注一个问题 editing this post .

3年前关闭。




Improve this question




RSA-OAEP 和 RSA-PKCS1.5 有什么区别？
我的理解是它们都是 RSA 加密，但使用不同的填充方案。
一个比另一个有什么优势？
如果我生成一个 RSA 2048 盗版和公钥对，我可以使用相同的 key 对来加密和解密 OAEP 填充与 PKCS1.5 填充的消息吗？

Answer 1

至少有一个更全面，但尽量简单，答案可以在What is RSA OAEP & RSA PSS in simple terms (InfoSec.SE)找到。

你问了 What is the advantage of one over the other? ，来自 InfoSec.SE 的回答:

What went wrong this time?

It turns out that wrong answers can "decrypt successfully". Any message C is valid against any 4096-bit key k with odds

1/256 * 1/256 * (255/256)^8 * (1 - (255/256)^502)

("first byte is a zero", "second byte is a 2", "no zeros appear within 8 bytes", "a zero appears eventually")

0.004 * 0.004 * 0.996^8 * (1 - 0.996^502)
0.004 * 0.004 * 0.969 * (1 - 0.140)
0.004 * 0.004 * 0.969 * 0.860
1.27e-5

So approximately 1 in every 78 thousand messages is "valid", but wrong. This can confuse Bob and make him say silly things in response. If Eve (who has more free time than Mallory) wants to she can now start sending Bob clever gibberish and observe when he says he's confused, eventually Eve can figure out what the original message was. (Bleichenbacher attack (Crypto.SE))

你还问了 can I use the same key pair to encrypt and decrypt a message that is OAEP padded vs PKCS1.5 padded?
如果您的意思是“软件会让我吗？”答案是肯定的。如果你的意思是“这是个好主意吗？”，好吧，在 FIPS 186-4 , 第 5.1 节，美国政府的要求是

An RSA key pair used for digital signatures shall only be used for one digital signature scheme (e.g., ANS X9.31, RSASSA-PKCS1 v1.5 or RSASSA-PSS; see Sections 5.4 and 5.5). In addition, an RSA digital signature key pair shall not be used for other purposes (e.g., key establishment).

因此，该文档的作者至少会建议不要对 OAEP 和 PKCS1.5 使用相同的 key

IETF RFC 8017 section 6 进一步不推荐这样做:

A generally good cryptographic practice is to employ a given RSA key pair in only one scheme. This avoids the risk that vulnerability in one scheme may compromise the security of the other and may be essential to maintain provable security. [...]

To illustrate the risks related to the employment of an RSA key pair in more than one scheme, suppose an RSA key pair is employed in both RSAES-OAEP (Section 7.1) and RSAES-PKCS1-v1_5. Although RSAES-OAEP by itself would resist attack, an opponent might be able to exploit a weakness in the implementation of RSAES-PKCS1-v1_5 to recover messages encrypted with either scheme.