您的位置：首页 > 大数据 > 人工智能

Too much data for RSA block fail. What is PKCS#7?

2012-12-13 07:54 555 查看

http://stackoverflow.com/questions/2579103/too-much-data-for-rsa-block-fail-what-is-pkcs7

Talking about

javax.crypto.Cipher

I was trying to encrypt data using

Cipher.getInstance("RSA/None/NoPadding", "BC")

but I got the exception:

ArrayIndexOutOfBoundsException: too much data for RSA block

Looks like is something related to the "NoPadding", so, reading about padding, looks like CBC is the best approach to use here.

I found at google something about "RSA/CBC/PKCS#7", what is this "PKCS#7"? And why its not listed onsun's standard algorithm
names?

Update:

I'm wondering, if is a padding problem, why this example run just fine?

import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPrivateKeySpec;
import java.security.spec.RSAPublicKeySpec;

import javax.crypto.Cipher;

/**
* Basic RSA example.
*/
public class BaseRSAExample
{
public static void main(
String[]    args)
throws Exception
{
byte[]           input = new byte[] { (byte)0xbe, (byte)0xef };
Cipher          cipher = Cipher.getInstance("RSA/None/NoPadding", "BC");
KeyFactory       keyFactory = KeyFactory.getInstance("RSA", "BC");

// create the keys

RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(
new BigInteger("d46f473a2d746537de2056ae3092c451", 16),
new BigInteger("11", 16));
RSAPrivateKeySpec privKeySpec = new RSAPrivateKeySpec(
new BigInteger("d46f473a2d746537de2056ae3092c451", 16),
new BigInteger("57791d5430d593164082036ad8b29fb1", 16));

RSAPublicKey pubKey = (RSAPublicKey)keyFactory.generatePublic(pubKeySpec);
RSAPrivateKey privKey = (RSAPrivateKey)keyFactory.generatePrivate(privKeySpec);

// encryption step

cipher.init(Cipher.ENCRYPT_MODE, pubKey);

byte[] cipherText = cipher.doFinal(input);

// decryption step

cipher.init(Cipher.DECRYPT_MODE, privKey);

byte[] plainText = cipher.doFinal(cipherText);

}
}

Update 2:

I realized that even if I use just

Cipher.getInstance("RSA", "BC")

it throws the same exception.

java security cryptography

share|improve
this question

edited
Apr 6 '10 at 13:27

asked
Apr 5 '10 at 15:08

Tom Brito

2,92142887

91% accept rate

	@ig0774 why as comment? – Tom BritoApr 5 '10 at 16:19
	brito I didn't read the question to carefully. I'll add as an answer. See below, now. – ig0774Apr 5 '10 at 16:57
	I updated my answer with a plausible explanation to your update. – Alexander TorstlingApr 6 '10 at 11:37

feedback

7 Answers

active oldest votes

up vote 5
down vote
accepted

If you use a block cipher, you input must be an exact multiple of the block bit length.

In order to encipher arbitrary length data, you need first to pad you data to a multiple of the block length. This can be done with any method, but there are a number of standards. PKCS7 is one which is quite common, you can see an overviewon
the wikipedia article on padding.

Since block cipers operate on blocks, you also need to come up with a way of concatenating the encrypted blocks. This is very important, since naive techniques greatly reduce the strength of the encryption. There is also awikipedia
article on this.

What you did was to try to encrypt (or decrypt) data of a length which didn't match the block length of the cipher, and you also explicitly asked for no padding and also no chaining mode of operation.

Consequently the block cipher could not be applied to your data, and you got the reported exception.

UPDATE:

As a response to your update and GregS's remark, I would like to acknowledge that GregS was right (I did not know this about RSA), and elaborate a bit:

RSA does not operate on bits, it operates on integer numbers. In order to use RSA you therefore need to convert your string message into an integer m:

0 < m < n

, where

is the modulus of the two distinct primes chosen in the generation process. The size of a key in the RSA algorithm typically refers to

. More details on this can be found
on thewikipedia article on RSA.

The process of converting a string message to an integer, without loss (for instance truncating initial zeroes), thePKCS#1 standard is usually followed.This
process also adds some other information for message integrity (a hash digest), semantical security (an IV) ed cetera. With this extra data, the maximum number of bytes which can be supplied to the RSA/None/PKCS1Padding is (keylength - 11). I do not
know how PKCS#1 maps the input data to the output integer range, but my impression is that it can take any length input less than or equal to keylength - 11 and produce a valid integer for the RSA encryption.

If you use no padding, your input will simply be interpreted as a number. Your example input, {0xbe, 0xef} will most probably be interpreted as {10111110 +o 11101111} = 1011111011101111_2 = 48879_10 = beef_16 (sic!). Since 0 < beef_16 < d46f473a2d746537de2056ae3092c451_16,
your encryption will succeed. It should succeed with any number less than d46f473a2d746537de2056ae3092c451_16.

This is mentioned in the
bouncycastle FAQ. They also state the following:

The RSA implementation that ships with Bouncy Castle only allows the encrypting of a single block of data. The RSA algorithm is not suited to streaming data and should not be used that way. In a situation like this you should encrypt the data using a randomly
generated key and a symmetric cipher, after that you should encrypt the randomly generated key using RSA, and then send the encrypted data and the encrypted random key to the other end where they can reverse the process (ie. decrypt the random key using their
RSA private key and then decrypt the data).

share|improve
this answer

edited
Apr 6 '10 at 9:47

answered
Apr 5 '10 at 15:34

Alexander Torstling

5,2551027

please, see my update – Tom BritoApr
5 '10 at 17:49

It is a little more complicated than your explanation. None of the RSA encryption providers will encrypt more than one block's worth of data no matter what padding scheme is used. And for, RSA, a 'block' is a positive integer
less than the modulus rather than a certain number of bits or bytes. – GregSApr
5 '10 at 19:44

You might want to note that Java calls PKCS#7-padding "PKCS5Padding". – Rasmus FaberApr
6 '10 at 7:51

GregS - thank you. I read up on it and updated my answer. Please feel free to comment on if the information is incorrect. – Alexander
Torstling Apr
6 '10 at 19:52

3

down vote

RSA is a one-shot asymmetric encryption with constraints. It encrypts a single "message" in one go, but the message has to fit within rather tight limits based on the public key size. For a typical 1024 bit RSA key, the maximum input message length (with
RSA as described in the
PKCS#1 standard) is 117 bytes, no more. Also, with such a key, the encrypted message has length 128 bytes, regardless of the input message length. As a generic encryption mechanism, RSA is very inefficient, and wasteful
of network bandwidth.

Symmetric encryption systems (e.g. AES or 3DES) are much more efficient, and they come with "chaining modes" which allow them to process input messages of arbitrary length. But they do not have the "asymmetric" property of RSA: with RSA, you can
make the encryption key public without revealing the decryption key. That's the whole point of RSA. With symmetric encryption, whoever has the power to encrypt a message also has all the needed information to decrypt messages, hence you cannot make the encryption
key public because it would make the decryption key public as well.

Thus it is customary to use an hybrid system, in which a (big) message is symmetrically encrypted (with, e.g., AES), using a symmetric key (which is an arbitrary short sequence of random bytes), and have that key encrypted with RSA. The receiving party then
uses RSA decryption to recover that symmetric key, and then uses it to decrypt the message itself.

Beyond the rather simplistic description above, cryptographic systems, in particular hybrid systems, are clock full of little details which, if not taken care of, may make your application extremely weak against attackers. So it is best to use a protocol
with an implementation which already handles all that hard work. PKCS#7 is such a protocol. Nowadays, it is standardized under the name of
CMS. It is used in several places, e.g. at the heart of S/MIME (a standard for encrypting and signing emails). Another well-known protocol, meant for encrypting
network traffic, is SSL (now standardized under the name of
TLS, and often used in combination with HTTP as the famous "HTTPS" protocol).

Java contains an implementation of SSL (see

javax.net.ssl

). Java does not contain a CMS implementation (at least not in its API) but
Bouncy Castle has some code for CMS.

share|improve
this answer

answered
Apr 6 '10 at 11:09

Thomas Pornin

24k32379

feedback

up vote 1
down vote

This error indicates that the input data size is greater than the key modulus size. You will need a bigger key size to encrypt the data. If changing the key length is not an option, alternatively you may need to investigate if you are really expecting that
big input data.

share|improve
this answer

answered
May 18 '11 at 19:47

ordinary guy

111

feedback

up vote 0
down vote

RSA can only be used to encrypt, when the number of bits being used to encrypt is greater then the size of the thing you are tying to encrypt + 11 bytes

Public-Key Cryptography Standards - PKCS

share|improve
this answer

answered
Apr 5 '10 at 15:12

Dave

1

please, see my update – Tom Brito
Apr
5 '10 at 17:51

feedback

up vote 0
down vote

Scroll down a bit and you'll see it. It's not an cypher algortihm (like RSA) or a cypher mode like CBC, but a description of the way the certificate is encoded as bytes (i.e., a data structure syntax). You can find the spec for it
here.

share|improve
this answer

answered
Apr 5 '10 at 16:57

ig0774

6,5951125

please, see my update – Tom Brito
Apr
5 '10 at 17:50

feedback

up vote 0
down vote

PKCS#7 is listed (referring to your link). It's encoding is

PKCS7

Description

A PKCS#7 SignedData object, with the only significant field being certificates.

Use

java.security.cert.CertificateFactory

CertPath

when using

PKCS7

.

RSA is a block cipher. It encrypts block of the same key size. Therefore, BouncyCastle RSA gives an exception if you try to encrypt a block which is longer than the key size.

That's all I can tell you so far.

share|improve
this answer

edited
Apr 5 '10 at 20:19

answered
Apr 5 '10 at 15:19

Buhake Sindi

25.4k43163

	please, see my update – Tom Brito Apr 5 '10 at 17:50
	Check updated response. – Buhake Sindi Apr 5 '10 at 20:20

feedback

up vote 0
down vote

You should not encrypt your data using RSA directly. Encrypt your data with a random symmetric key (i.e. AES/CBC/PKCS5Padding) and encrypt the symmetric key using RSA/None/PKCS1Padding.

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签：

相关文章推荐

新的分享

章节导航