rsa-faq.txt

汇聚各种应用密码学密码算法技术源码

One or more certificates (see Question 3.5) may accompany a digital 
signature. A certificate is a signed document attesting to the identity and 
public key of the person signing the message. Its purpose is to prevent
someone from impersonating someone else, using a phony key pair. If a 
certificate is present, the recipient (or a third party) can check the 
authenticity of the public key, assuming the certifier's public key is
itself trusted. 


2.14 Does RSA help detect altered documents and transmission errors?

An RSA digital signature is superior to a handwritten signature in that
it attests to the contents of a message as well as to the identity of
the signer. As long as a secure hash function (see Question 8.2) is used, 
there is no way to take someone's signature from one document and attach 
it to another, or to alter the signed message in any way. The slightest 
change in a signed document will cause the digital signature verification
process to fail. Thus, RSA authentication allows people to check the
integrity of signed documents. Of course, if a signature verification
fails, it may be unclear whether there was an attempted forgery or 
simply a transmission error.


2.15 What are alternatives to RSA?

Many other public-key cryptosystems have been proposed, as a look through
the proceedings of the annual Crypto and Eurocrypt conferences quickly 
reveals. A mathematical problem called the knapsack problem was the basis 
for several systems [52], but these have lost favor because several 
versions were broken. Another system, designed by ElGamal [30], is based 
on the discrete logarithm problem. The ElGamal system was, in part, the 
basis for several later signature methods, including one by Schnorr [75], 
which in turn was the basis for DSS, the digital signature standard 
proposed by NIST (see Question 6.8). Because of the NIST proposal, the 
relative merits of these signature systems versus RSA signatures has 
received a lot of attention; see [57] for a discussion. The ElGamal system 
has been used successfully in applications; it is slower for encryption 
and verification than RSA and its signatures are larger than RSA signatures.

In 1976, before RSA, Diffie and Hellman [29] proposed a system for key 
exchange only; it permits secure exchange of keys in an otherwise 
conventional secret-key system. This system is in use today.

Cryptosystems based on mathematical operations on elliptic curves have 
also been proposed [43,56], as have cryptosystems based on discrete 
exponentiation in the finite field GF(2^n). The latter are very fast in 
hardware; however, doubts have been raised about their security because 
the underlying problem may be easier to solve than factoring [64,34]. 
There are also some probabilistic encryption methods [8,32], which have 
the attraction of being resistant to a guessed ciphertext attack (see 
Question 2.5), but at a cost of data expansion. In probabilistic 
encryption, the same plaintext encrypted twice under the same key will 
give, with high probability, two different ciphertexts.

For digital signatures, Rabin [68] proposed a system which is provably 
equivalent to factoring; this is an advantage over RSA, where one may 
still have a lingering worry about an attack unrelated to factoring.
Rabin's method is susceptible to a chosen message attack, however, in which 
the attacker tricks the user into signing messages of a special form. Another 
signature scheme, by Fiat and Shamir [31], is based on interactive 
zero-knowledge protocols, but can be adapted for signatures. It is faster 
than RSA and is provably equivalent to factoring, but the signatures are 
much larger than RSA signatures. Other variations, however, lessen the 
necessary signature length; see [17] for references. A system is 
``equivalent to factoring'' if recovering the private key is provably as 
hard as factoring; forgery may be easier than factoring in some of the 
systems.

Advantages of RSA over other public-key cryptosystems include the fact that 
it can be used for both encryption and authentication, and that it has been 
around for many years and has successfully withstood much scrutiny. RSA has 
received far more attention, study, and actual use than any other public-key 
cryptosystem, and thus RSA has more empirical evidence of its security than 
more recent and less scrutinized systems. In fact, a large number of 
public-key cryptosystems which at first appeared secure were later broken; 
see [13] for some case histories. 


2.16 Is RSA currently in use today?

The use of RSA is undergoing a period of rapid expansion and may become 
ubiquitous within a few years. It is currently used in a wide variety of 
products, platforms and industries around the world. It is found in many 
commercial software products and planned for many more. RSA is built into 
current or planned operating systems by Microsoft, Apple, Sun, and Novell. 
In hardware, RSA can be found in secure telephones, on Ethernet network 
cards, and on smart cards. RSA is also used internally in many institutions, 
including branches of the U.S. government, major corporations, national 
laboratories, and universities.

Adoption of RSA seems to be proceeding more quickly for authentication 
(digital signatures) than for privacy (encryption), perhaps in part because 
products for authentication are easier to export than those for privacy (see 
Question 1.6). 


2.17 Is RSA an official standard today?

RSA is part of many official standards worldwide. The ISO (International
Standards Organization) 9796 standard lists RSA as a compatible 
cryptographic algorithm, as does the Consultative Committee in International 
Telegraphy and Telephony (CCITT) X.509 security standard. RSA is part of 
the Society for Worldwide Interbank Financial Telecommunications (SWIFT) 
standard, the French financial industry's ETEBAC 5 standard, and the ANSI 
X9.31 draft standard for the U.S. banking industry. The Australian key 
management standard, AS2805.6.5.3, also specifies RSA.

RSA is found in Internet's proposed PEM (Privacy Enhanced Mail) standard
(see Question 8.7) and the PKCS standard for the software industry 
(see Question 8.9). The OSI Implementors' Workshop (OIW) has issued 
implementers' agreements referring to PKCS and PEM, which each include RSA. 

A number of other standards are currently being developed and will 
be announced over the next couple of years; many are expected to include 
RSA as either an endorsed or a recommended system for privacy and/or 
authentication. See [38] for a more comprehensive survey of cryptography 
standards.


2.18 Is RSA a de facto standard? Why is a de facto standard important?

RSA is the most widely used public-key cryptosystem today and has often
been called a de facto standard. Regardless of the official standards, the 
existence of a de facto standard is extremely important for the development 
of a digital economy. If one public-key system is used everywhere for 
authentication, then signed digital documents can be exchanged between users 
in different nations using different software on different platforms; this
interoperability is necessary for a true digital economy to develop.

The lack of secure authentication has been a major obstacle in achieving
the promise that computers would replace paper; paper is still necessary
almost everywhere for contracts, checks, official letters, legal documents,
and identification. With this core of necessary paper transaction, it has not 
been feasible to evolve completely into a society based on electronic 
transactions. Digital signatures are the exact tool necessary to convert 
the most essential paper-based documents to digital electronic media. 
Digital signatures makes it possible, for example, to have leases, wills, 
passports, college transcripts, checks, and voter registration forms that 
exist only in electronic form; any paper version would just be a ``copy'' 
of the electronic original. All of this is enabled by an accepted standard 
for digital signatures.

2.19 Is RSA patented? 

RSA is patented under U.S. Patent 4,405,829, issued 9/20/83 and held by
Public Key Partners (PKP), of Sunnyvale, California; the patent expires 17 
years after issue, in 2000. RSA is usually licensed together with other 
public-key cryptography patents (see Question 1.5). PKP has a standard, 
royalty-based licensing policy which can be modified for special 
circumstances. If a software vendor, having licensed the public-key patents, 
incorporates RSA into a commercial product, then anyone who purchases the 
end product has the legal right to use RSA within the context of that 
software. The U.S. government can use RSA without a license because it was 
invented at MIT with partial government funding. RSA is not patented outside 
North America.

In North America, a license is needed to ``make, use or sell'' RSA. However,
PKP usually allows free non-commercial use of RSA, with written permission, 
for personal, academic or intellectual reasons. Furthermore, RSA 
Laboratories has made available (in the U.S. and Canada) at no charge a 
collection of cryptographic routines in source code, including the RSA 
algorithm; it can be used, improved and redistributed non-commercially 
(see Question 8.10).


2.20 Can RSA be exported from the U.S.?

Export of RSA falls under the same U.S. laws as all other cryptographic
products. See Question 1.6 for details.

RSA used for authentication is more easily exported than when used for
privacy. In the former case, export is allowed regardless of key (modulus)
size, although the exporter must demonstrate that the product cannot be
easily converted to use for encryption. In the case of RSA used for 
privacy (encryption), the U.S. government generally does not allow
export if the key size exceeds 512 bits. Export policy is currently a
subject of debate, and the export status of RSA may well change in the
next year or two.

Regardless of U.S. export policy, RSA is available abroad in non-U.S.
products.


3 Key Management

3.1 What key management issues are involved in public-key cryptography?

Secure methods of key management are extremely important. In practice,
most attacks on public-key systems will probably be aimed at the key 
management levels, rather than at the cryptographic algorithm itself. 
The key management issues mentioned here are discussed in detail in 
later questions.

Users must be able to obtain securely a key pair suited to their efficiency 
and security needs. There must be a way to look up other people's public 
keys and to publicize one's own key. Users must have confidence in the 
legitimacy of others' public keys; otherwise an intruder can either change 
public keys listed in a directory, or impersonate another user. Certificates 
are used for this purpose. Certificates must be unforgeable, obtainable in a 
secure manner, and processed in such a way that an intruder cannot misuse 
them. The issuance of certificates must proceed in a secure way, impervious 
to attack. If someone's private key is lost or compromised, others must be 
made aware of this, so that they will no longer encrypt messages under the 
invalid public key nor accept messages signed with the invalid private key. 
Users must be able to store their private keys securely, so that no intruder 
can find it, yet the keys must be readily accessible for legitimate use. Keys 
need to be valid only until a specified expiration date. The expiration date 
must be chosen properly and publicized securely. Some documents need to have 
verifiable signatures beyond the time when the key used to sign them has 
expired.

Although most of these key management issues arise in any public-key 
cryptosystem, for convenience they are discussed here in the context of RSA.


3.2 Who needs a key?

Anyone who wishes to sign messages or to receive encrypted messages must
have a key pair. People may have more than one key. For example, someone
might have a key affiliated with his or her work and a separate key for
personal use. Other entities will also have keys, including electronic 
entities such as modems, workstations, and printers, as well as 
organizational entities such as a corporate department, a hotel 
registration desk, or a university registrar's office. 


3.3 How does one get a key pair? 

Each user should generate his or her own key pair. It may be tempting within 
an organization to have a single site that generates keys for all members who 
request one, but this is a security risk because it involves the transmission 
of private keys over a network as well as catastrophic consequences if an 
attacker infiltrates the key-generation site. Each node on a network should be
capable of local key generation, so that private keys are never transmitted 
and no external key source need be trusted. Of course, the local key generation
software must itself be trustworthy. Secret-key authentication systems, such 
as Kerberos, often do not allow local key generation but instead use a 
central server to generate keys.