How to specify RSA padding in Python pycrypto

问题

I got a pice of java RSA decrypt code, now I want to express in Python pycrypto. but I got different ciphertext although using same private key, and server only access ciphertext that encrypt by java.

I seach google, it look like cause of padding.
I am not familiar with RSA, my current solution is that execute java code in tomcat, Python call it through http request.

but I still want to encrypt direct in Python code.

in java code:

public static String encrypt(String paramString)throws Exception
{
    return Base64Utils.encode(RSAUtils.encryptByPrivateKey(paramString.getBytes(), "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIrrUGxh+yvNNI1c9hUg1rH+EtipI0nPk3zRm2Cj4mLDWLJ6DaTzdJTXTF3BYZaancWeG3QtBL+fITUi72InwBP7zaNG8uv/guwuhWT6V/YO7AaTrOFeTkg9NXuaFbn3hWVtZxQm2tIlaVa8snoNj3VGnPqIjXmGcxk4axuYd7sTAgMBAAECgYA43YhnRVh2nqJzd2k4Tt/zrmhyjhHm5fSetIKg9ZT3DrXhITsymYHQZ61X95AGATayLT1Zug/mjLIgOTO6f0ENkRQtjVCmKd8Yf/BeDEc5kRLUYDfSqoEydHK0+rCw5tJMgrAnQc5lHc+FVdGe2bOxKTEtZoss9VQ2jYuQ+Z5fUQJBANnvDOcI2OYSksX3PpHzO9F272xkmqYBRGkMc/a5RuOv1CY6FqMIkkloTf6nVl9y6XYV8gnHfbbI/wj4Q4UnPYsCQQCjLxyRYaOeEb/qOzSmFXytgMuCM9sr4eY9jpjzDgNWhpbtaVaf1QvSTXqN0zaUu4Se2tmWGX7zXw9p/dFf8DmZAkEAzl1o0FU2XhZ0WXVYEIhMunpvGSrirhNBHmAmZxjmoa/bqh8TVGpHa6+TO3JlfZioraL2QIBg8Ha/2VSNS0bvJQJALfCLaFpGh6+TicuVLNSLvwStRkB3CUmVWesVIAfn5KoLP1cSbfi6VUA+qkK18PVBhr8x1lHjLXyriDlOgmXMsQJAW9vD/IoBs4QJF87xF7tZvu/b1KRVgLM1edqOgVwMNbIQHBAXghjVjrpuln5w6z1dJ2cEjRP98OxKC0hqEIwIuQ=="));
}

public static byte[] encryptByPrivateKey(byte[] paramArrayOfByte, String paramString)throws Exception
{ 
    paramString = new PKCS8EncodedKeySpec(Base64Utils.decode(paramString));
    paramString = KeyFactory.getInstance("RSA").generatePrivate(paramString);
    Cipher localCipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");//like this padding
    localCipher.init(1, paramString);
    int k = paramArrayOfByte.length;
    ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();
    int j = 0;
    int i = 0;
    if (k - j > 0)
    {
      if (k - j > 117) {}
      for (paramString = localCipher.doFinal(paramArrayOfByte, j, 117);; paramString = localCipher.doFinal(paramArrayOfByte, j, k - j))
      {
        localByteArrayOutputStream.write(paramString, 0, paramString.length);
        i += 1;
        j = i * 117;
        break;
      }
    }
    paramArrayOfByte = localByteArrayOutputStream.toByteArray();
    localByteArrayOutputStream.close();
    return paramArrayOfByte;
}

---

in Python code:

from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from base64 import b64decode, b64encode

def encrypt(msg):
    key = "MIICdgIBADANBgkqhkiG9w0BAQEFA..."
    key = b64decode(key)
    private_key = RSA.importKey(key)
    cipher = PKCS1_v1_5.new(private_key)
    return b64encode(cipher.encrypt(msg))

---

java.encrypt("159742081"):
first time: GBn6RGIeEp8j/n35CgT5DdMmrvvNBtVCFQikO0vfJaYYrpEzBZ/F+5PkFLpzLDtYvQrj0Q/x/Fdxz3BtbEdLq57WFxB5MvkFxerWVeplA2vdlD7m+dgjsWyxBSbcVV1QX3UBNp+T3DtxL6uGuWUNxucy9yB5TOD3xCNchzGCnSU=
second time: GBn6RGIeEp8j/n35CgT5DdMmrvvNBtVCFQikO0vfJaYYrpEzBZ/F+5PkFLpzLDtYvQrj0Q/x/Fdxz3BtbEdLq57WFxB5MvkFxerWVeplA2vdlD7m+dgjsWyxBSbcVV1QX3UBNp+T3DtxL6uGuWUNxucy9yB5TOD3xCNchzGCnSU=

python.encrypt('159742081'):
first time:K5VXCDAPZ5yg0/UFT6mLdDOlYAI0n15HR9I60ZMntyHIItUDK7mnb67oX5BzZpx+j6OH8nfeZFPPfxRKpk83m4uN7Gw0TZTuN0eajRa2Jg79ctumBqmzCQM/05UH3wCMouVbvFu31O4PLBHqcmJNuJCOiAJE98wMKIwdS7ewv/4
second time:UWWdt1WcI0UOovXb7hH1CqK0RJWSJ4uVCOJ0wjtzPu8JB1cAOu+JaWDBjh6PMWWdi6Osb2cnOddYdgUHoMiTUieAIbj2jaXXxKzxaNlqDAGNRLZUthZXqMPEdpZ91Jagus9OS/soJBP/Vkz6i1lqpriDsm5CqVsSr+Bz+Ro7+Vo=

for same plaintext, java.encrypt return same ciphertext, however python.encrypt return different ciphertext in everytime.

回答1:

I absolutely don't get what you're trying to do in the Java code, but it is not going right.

PKCS#1 v1.5 padding for encryption uses at least 8 bytes set to a random value in the range 1..255. This means that the outcome after modular exponentiation is completely random within the range 0 to N (the modulus). So each time you encrypt, using either Java or Python, the result should be completely random. This is required for the cipher to be IND_CPA secure; you would distinguish between two identical plaintext otherwise.

There is one good way to test encryption: decrypt it and see if you get the same binary plaintext. You should be able to test this cross-platform.

来源：https://stackoverflow.com/questions/42779158/how-to-specify-rsa-padding-in-python-pycrypto