更新时间:2023-02-06 19:07:24
删除填充使系统不安全。如果公共密钥确实是公开的,那么攻击者可以简单地去第5列,明文,并按照正确的顺序用4个公钥进行加密。然后,他们可以将得到的密文与来自密码的密码相匹配,从而损害无强制属性。
随机填充阻止了这一点,因为攻击者不知道什么
您将需要使用正常填充,但会向审核员的一小部分(通常称为选举系统中的监察员)显示一部分私钥)。这意味着一个监察员可以确认列1与列2匹配,另一个可以确认列2与列3匹配,依此类推。一个个人的监票员不能将投票人与投票相匹配,只能合作。
由于每个模数不同,所以重新得到消息大于模数的错误,所以来自一个加密的密文可能超出下一次加密的允许范围。
This is my first question on this site, and I only have a basic mathematical understanding of RSA, so please bear with me! :)
I'm writing a Java web application for my final year project at university. It's a web-based implementation of "Pret-a-voter", a secure voting system, for those who have heard of it.
Essentially my problem is that I want to be able to give someone performing the role of an auditor:
I then want the auditor to be able to perform encryption using the first two items, and be satisfied that the third is the result. I therefore need the encryption to be deterministic, i.e. generate the same cipherdata each time encryption with the same plaintext and public key are repeated.
(Note - I'm working with very small blocks of data in this project - there is no symmetric encryption involved at all... I'm aware this is an "interesting" use of RSA!)
Anyway I found that in Java, using
cipher = Cipher.getInstance("RSA");
uses the default random padding scheme, at a cost of 11 bytes (so with a 2048-bit key pair, it's possible to encrypt 2048/8-11 = 245 bytes). Repeated encryptions of the same plaintext generate different ciphertexts, which is obviously not the ECB mode that I want.
My question is - should I use the following?
cipher = Cipher.getInstance("RSA/ECB/NoPadding");
I've read in lots of places that RSA is insecure without padding. Is that simply because an attacker can build a dictionary of plaintexts/ciphertexts? This is a side-effect of the deterministic encryption I require in order to allow auditors to verify my encryption, and in my scheme auditors are trusted, so that would be OK.
Part two of my question is more java-related. If I do use RSA/ECB/NoPadding as above, I believe I'm able to provide a source byte array of (say) length 128 (for a 1024-bit RSA key pair) and encrypt that to get another byte array of length 128. If I then try to encrypt that again, with a different 1024-length public key, I get
javax.crypto.BadPaddingException: Message is larger than modulus
Does anyone know why?
EDIT - encryption with NoPadding doesn't always generate this exception - it's temperamental. However, even when encryption does not generate this exception, decryption generates this:
javax.crypto.BadPaddingException: Data must start with zero
Many thanks for reading through this! Any help would be greatly appreciated.
EDIT - sorry, my original question wasn't very clear about what it is I want to do, so here's an [attempt at an] explanation:
Sorry that was so lengthy - I hope it describes my need for deterministic encryptions. I've missed out a lot of fundamental details (I've modified this scheme heavily) but hopefully the core principles are all there. Thank you so much for reading - I really appreciate it.
Removing the padding makes the system insecure. If the public keys are indeed public, as you say, then an attacker can simply go to column 5, take the plaintexts, and encrypt them with the 4 public keys in the proper sequence. They can then match up the resulting ciphertexts with that from the reciepts, compromising the "no coercion" property.
Random padding stops this, because the attacker doesn't know what padding to add.
You will need to use normal padding, but reveal a subset of the private keys to a subset of the auditors (usually called "scrutineers" in electoral systems). This means that one scrutineer can confirm that column 1 matches column 2, another can confirm that column 2 matches column 3, and so on. An individual scrutineer can't match a voter to a ballot, only co-operating ones.
The reason that you're getting the "Message is larger than modulus" error is because each modulus is different, so the ciphertext from one encryption may be outside the allowable range for the next encryption.