{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 孤傲高冷的网名 的问题《RSA Encryption output size》','https://www.manongdao.com/q-319638.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
What is RSA encryption output size when using 2048 bit key (using pkcs1padding). Is it always 256 bytes independent of input size? how can i calculate it for other key sizes?
相关问题
- “Zero out” sensitive String data in Swift
- High cost encryption but less cost decryption
- C# Rijndael decryption returns extra question mark
- DECRYPTBYPASSPHRASE is not working after creating
- Export CngKey in PKCS8 with encryption c#
相关文章
- decrypt TLS 1.2 AES-GCM packet
- Decrypting EnvelopedCms with non-default Algorithm
- How to get the size of a RSA key in Java
- C# AES Rijndael - detecting invalid passwords
- Sanity check SSH public key? [closed]
- Use RSA with Eclipse Remote Systems Explorer?
- data encryption and key management in c#
- What is an openssl iv, and why do I need a key and
Yes, it is.
The output-size should always equals the size of the
Modulus(part of the key), so:If it is not, there exist numerous attacks on RSA, see here for basic information about that.
So to guarantee that the output is
2048 biteven when the input to encrypt is, let's say7,a padding must always be applied!
The output (as integer) of RSAEP (RSA encryption primitive) is always between 0 and n:
If the message representative m is not between 0 and n-1, output message representative out of range and stop.
Let c = m^e mod n.
Output c.
Of course,
cis a number. So you have to convert it to bytes for it to be usable. The only thing known aboutcis that it is smaller thannfor a large value ofm. It may be thatcis a few bytes smaller even ifmis large.You've mentioned PKCS1Padding, which is part of the RSAES-PKCS1-V1_5-ENCRYPT encryption scheme. The padding will make sure that
mis always large and randomized; requirements for RSA encryption to be secure.You'll find that the encoding of
cis specified in there:...
Step 4: Convert the ciphertext representative c to a ciphertext C of length k octets: C = I2OSP (c, k)
...
where k is the size of the modulus in octets (bytes).
So yes, the answer is always
k, the size of the modulus in bytes. Simply because the standard requires it that way. It is a value encoded as unsigned big endian number prefixed with as many zero bytes as required.Notes:
the modulus size defines the key size. So the output of an RSA encryption is the same as the key size:
ceil(keySize / 8.0)using floats or(keySize + 8 - 1) / 8using integers.RSA with OAEP padding uses the same technique, so the answer is correct for OAEP as well (and most other, less known schemes such as RSA-KEM).
Many library routines that perform "raw" RSA (just modular exponentiation of the message with the public exponent) still perform the I2OSP function - but better check to make sure.
The output size of plain RSA (using some padding scheme, but no hybrid encryption) is always the key size. The reason is that for some public key
nthe result is some integercwith0<=c<n. There are lots of introductions for RSA, e.g. http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-045j-automata-computability-and-complexity-spring-2011/lecture-notes/MIT6_045JS11_rsa.pdf