问题
I am creating a simple client app to experiment with Mega and I am having trouble wrapping my head around the way RSA is used. Let's take, for example, the decryption of the session ID - this is one of the first things that must be done in order to log in.
The API provides me the following RSA data:
- p (1024 bits)
- q (1024 bits)
- d (2044 bits)
- u (1024 bits)
To start with, I do not know what "u" stands for. I see from code that it is calculated by modinverse(p, q) - is this what is commonly referred to as qInverse?
This is considerably less RSA data for a private key than I have used previously, so I am not quite sure what to make of it. However, I am given to understand that some of the RSA data used by RSACryptoServiceProvider is just pre-calculated data for optimization purposes, so perhaps the rest is not needed?
Using this data, the site's JavaScript decrypts the session ID with the following function:
// Compute m**d mod p*q for RSA private key operations.
function RSAdecrypt(m, d, p, q, u)
{
var xp = bmodexp(bmod(m,p), bmod(d,bsub(p,[1])), p);
var xq = bmodexp(bmod(m,q), bmod(d,bsub(q,[1])), q);
var t=bsub(xq,xp);
if(t.length==0)
{
t=bsub(xp,xq);
t=bmod(bmul(t, u), q);
t=bsub(q,t);
}
else
{
t=bmod(bmul(t, u), q);
}
return badd(bmul(t,p), xp);
}
I would like to do this in .NET using RSACryptoServiceProvider but if I give it the 4 pieces of data I have (assuming u == qInverse), the key is rejected during import with a "Bad data" exception.
Should I be doing something more to the data? Is RSACryptoServiceProvider usable in this situation at all?
Example of the parameters and encrypted data I am testing with follows.
var p = Convert.FromBase64String("1AkMwy3SPbJtL/k2RUPNztBQKow0NX9LVr5/73+zR3cuwgUToYkVefKdzlTgeri9CAVUq/+jU6o+P7sUpPUN+V97quZa00m3GSIdonRMdaMrDDH5aHnkQgOsCjLJDWXU6+TQBqLumR3XMSat3VO09Dps+6NcMc+uMi5atC3tb+0=");
var q = Convert.FromBase64String("qtnlmPbATJajNdihw1K6cwSormySATp7g75vYfilYx6RXN3xpNCZR/i8zFbx/lDh+n1a2rdHy1nWyuaD3UmE26d1xUkmsPDfBc72WXt88UqWE/gF7NJjtgTxS2Ui+2GGKUCloi5UA/pOI7R5TBvGI8zna00SH78bctyE0dcAcwM=");
var d = Convert.FromBase64String("CFL4QPQ8zLzrf2bUzCVX8S2/eALzo/P2cvQsW9lft7uelHYfC1CvHP+z4RvQgXABpgT8YTdU+sgdMHrhHT1vxeUaDRkcQv9lV0IP6YtAcD+gk5jDQkXk4ruYztTUF3v4u8rlMuZ8kAKKWKw+JH6grLWD/vXjMv2RybxPqq3fKI6VJaj/Y/ZnDjD5HrQmJopnCbOrZrPysNb/rGrN3ad9ysaZwBvQtIE0/tQvmL+lsI+PfF9oGKeHkciIo0D4N2abOKT2fiazNm1U9LnrQih687ge0aeAlP2OO8c0h/nbEkMbNg83n1GGEt3DNojIWbT5uHaj12M6G81leS77mfLvSQ==");
var u = Convert.FromBase64String("CNlUzgCf6Ymd/qeWiv3ScCIXYCwjP3SNLHxRgozIbNg2JEKpJn2M3vO72qLI+FT34xckaAGIcKWMkmpoaKy6PYF4jsAz2atLEClLimbMEPvpWxK7b/I5yvXMT7i2r5hr0OjjplL0wFQYL1IS2M8DTrL99rd9zXCoCWg5Tax6zQM=");
var encryptedData = Convert.FromBase64String("CABt/Qp7ZODvweEk5RY9JNMXoyFfUwMnc53zbP5jB4jnwWXibLLvjc+Dv5CwQAtUYRme+vRd80++178BiWl0YSOKKhQaDQKoeOUONn3KbZVWyCtyWyQZNtASPoQfizay/Dw3yP5BKsJmDpEv47awdEZzh8IqTcTKeQbpHFL+3uL5EjIENpxMh15rJUsY9w+jq6Yax+379tq67EPMUON0aYkRQ3k1Rsp9fOL6qrgoqOPmOc0cIQgx76t6SFB9LmDySkyBhtK+vcEkdn9GwzZqc6n/Jqt9K8a+mbBv3K7eO3Pa37SDncsaxEzlyLwQ2om1+bK2QwauSQl+7QwQS1a9Ejb9");
var rsa = new RSACryptoServiceProvider();
// Throws exception saying "Bad data"
rsa.ImportParameters(new RSAParameters
{
D = d,
P = p,
Q = q,
InverseQ = u
});
Addendum February 2
I have dug around in the linked StackOverflow answers and have reached the point where I think I have determined how to generate the missing component. However, now I am getting a "Bad key" exception, which has me stumped.
I will write the code I am using to generate the missing components - perhaps you can spot an error somewhere?
I have also calculated InverseQ and D manually and the values match those in my input data. Below is my function for generating the required data based only on q, p and e.
private static RSAParameters CalculateRsaParameters(BigInteger p, BigInteger q, BigInteger e)
{
var modulus = BigInteger.Multiply(p, q);
var phi = BigInteger.Multiply(BigInteger.Subtract(p, BigInteger.One), BigInteger.Subtract(q, BigInteger.One));
BigInteger x, y;
// From http://www.codeproject.com/Articles/60108/BigInteger-Library
// Returns 1 with my test data.
ExtendedEuclidGcd(e, phi, out x, out y);
var d = BigInteger.Remainder(x, phi);
var dp = BigInteger.Remainder(d, BigInteger.Subtract(p, BigInteger.One));
var dq = BigInteger.Remainder(d, BigInteger.Subtract(q, BigInteger.One));
BigInteger x2, y2;
// Returns 1 with my test data.
ExtendedEuclidGcd(q, p, out x2, out y2);
// y2 since it matched the pre-generated inverseQ data I had and x2 was some negative value, so it did not seem to fit. I have no idea what the logic behind which to pick really is.
var qInverse = BigInteger.Remainder(y2, p);
return new RSAParameters
{
D = ToBigEndianByteArray(d, 256),
DP = ToBigEndianByteArray(dp, 128),
DQ = ToBigEndianByteArray(dq, 128),
InverseQ = ToBigEndianByteArray(qInverse, 128),
Exponent = ToBigEndianByteArray(e, 1),
Modulus = ToBigEndianByteArray(modulus, 256),
P = ToBigEndianByteArray(p, 128),
Q = ToBigEndianByteArray(q, 128)
};
}
My input data is:
e = 17
p = 148896287039501678969147386479458178246000691707699594019852371996225136011987881033904404601666619814302065310828663028471342954821076961960815187788626496609581811628527023262215778397482476920164511192915070597893567835708908996890192512834283979142025668876250608381744928577381330716218105191496818716653
q = 119975764355551220778509708561576785383941026741388506773912560292606151764383332427604710071170171329268379604135341015979284377183953677973647259809025842247294479469402755370769383988530082830904396657573472653613365794770434467132057189606171325505138499276437937752474437953713231209677228298628994462467
And here is how I make use of the generated structure:
var rsa = new RSACryptoServiceProvider(2048);
rsa.ImportParameters(CalculateRsaParameters(p, q, e));
The ImportParameters call throws an exception saying "Bad key". What am I doing wrong?
What happens if I switch Q and P?
Apparently, it makes RSACryptoServiceProvider accept the data! But what does this mean exactly?
I got the idea from the way I had to use ExtendedEuclidGcd in my generation code. Having to use different outputs for the two instances bothered me a lot, so I performed this experiment.
One thing is that u != qInverse - is this correct? I do not understand the math in the original JavaScript function, so I am not sure what the implications are. Am I right in guessing that the u value in the original is in fact some internal shortcut and not QInverse?
Further testing to follow (i.e. actual decryption of data). I will edit the question with any new developments once made.
Decryption fails with this parameter set
The encrypted test data I have is (base64-encoded):
/TYSvVZLEAztfglJrgZDtrL5tYnaELzI5UzEGsudg7Tf2nM73q7cb7CZvsYrfasm/6lzajbDRn92JMG9vtKGgUxK8mAufVBIeqvvMQghHM055uOoKLiq+uJ8fcpGNXlDEYlpdONQzEPsutr2++3HGqarow/3GEsla16HTJw2BDIS+eLe/lIc6QZ5ysRNKsKHc0Z0sLbjL5EOZsIqQf7INzz8sjaLH4Q+EtA2GSRbcivIVpVtyn02DuV4qAINGhQqiiNhdGmJAb/Xvk/zXfT6nhlhVAtAsJC/g8+N77Js4mXB54gHY/5s851zJwNTXyGjF9MkPRblJOHB7+Bkewr9bQ==
or
bf0Ke2Tg78HhJOUWPSTTF6MhX1MDJ3Od82z+YweI58Fl4myy743Pg7+QsEALVGEZnvr0XfNPvte/AYlpdGEjiioUGg0CqHjlDjZ9ym2VVsgrclskGTbQEj6EH4s2svw8N8j+QSrCZg6RL+O2sHRGc4fCKk3EynkG6RxS/t7i+RIyBDacTIdeayVLGPcPo6umGsft+/bauuxDzFDjdGmJEUN5NUbKfXzi+qq4KKjj5jnNHCEIMe+rekhQfS5g8kpMgYbSvr3BJHZ/RsM2anOp/yarfSvGvpmwb9yu3jtz2t+0g53LGsRM5ci8ENqJtfmytkMGrkkJfu0MEEtWvRI2/Q==
Two alternatives given since I am not sure of the byte order. It is the same data in both strings.
Decryption of both of these fails with an exception saying "Bad data" in the first case and "Not enough storage is available to process this command." in the second case (which MSDN claims might mean that the key does not match the encrypted data). I am telling RSACryptoServiceProvider that PKCS padding is used, though I also experimented with OAEP (which just gave an error about failing to decode padding).
The original JavaScript decrypts the data without a problem, though its "p" and "q" are switched around from mine.
Right now, my questions are:
- Is the P and Q switch-around a valid operation to do?
- Is my reasoning valid or have I made a mistake somewhere?
- What should I do next to successfully decrypt my test data?
回答1:
RsaParameters has eight fields. I think you need to initialize all of them when creating a private key.
Take a look at http://msdn.microsoft.com/en-us/library/system.security.cryptography.rsaparameters.aspx
回答2:
There are a number of possible pitfalls that one can trip over in using .NET BigIntegers and RSA parameters. The two that are probably impacting you are endianness and leading zero suppression.
System.Numerics.BigInteger class, available starting in .NET 4.0, uses a litte-endian format for its ToByteArray() method and new BigInteger(byte []) constructor.
Unfortunately, the RSAParameters structure expects its byte array fields to be in big-endian order. There is also one other incompatibility that must be accounted for. A System.Numerics.BigInteger may be either positive or negative, and the ToByteArray() method accounts for this by using a variant of twos-complement representation. Effectively this means that a positive BigInteger whose byte array representation has a high-order byte >=
128 will have an additional zero byte placed in highest order position. However, the RSAParameter fields are assumed to be all positive, so a leading zero is gratuitously rejected with a "Bad Data" CryptographicException. You must delete these leading zeros where they occur.
The following is a simple example code fragment showing these operations:
static BigInteger ExtGCD(BigInteger a, BigInteger b, out BigInteger lastx, out BigInteger lasty)
{
var x = BigInteger.Zero;
lastx = BigInteger.One;
var y = BigInteger.One;
lasty = BigInteger.Zero;
while (!b.IsZero)
{
BigInteger remainder;
BigInteger q = BigInteger.DivRem(a, b, out remainder);
a = b;
b = remainder;
var t = x;
x = lastx - q * x;
lastx = t;
t = y;
y = lasty - q * y;
lasty = t;
}
return a;
}
static BigInteger inverse(BigInteger a, BigInteger n)
{
BigInteger d, x, y;
d = ExtGCD(a, n, out x, out y);
if (d.IsOne)
{
// Always return the least positive value
return (x + n) % n;
}
else
{
throw new ArgumentException("the arguments must be relatively prime, i.e. their gcd must be 1");
}
}
static byte[] ToByteArrayBE(BigInteger b)
{
var x = b.ToByteArray(); // x is little-endian
Array.Reverse(x); // now it is big-endian
if (x[0] == 0)
{
var newarray = new byte[x.Length - 1];
Array.Copy(x, 1, newarray, 0, newarray.Length);
return newarray;
} else
{
return x;
}
}
static RSAParameters CalculateRsaParameters(BigInteger p, BigInteger q, BigInteger e)
{
// Given p, q, and e (the RSA encryption exponent) compute the remaining parameters
var phi = (p - 1) * (q - 1);
var d = inverse(e, phi);
var dp = d % (p - 1);
var dq = d % (q - 1);
var qInv = inverse(q, p);
var RsaParams = new RSAParameters
{
Modulus = ToByteArrayBE(p * q),
Exponent = ToByteArrayBE(e),
P = ToByteArrayBE(p),
Q = ToByteArrayBE(q),
D = ToByteArrayBE(d),
DP = ToByteArrayBE(dp),
DQ = ToByteArrayBE(dq),
InverseQ = ToByteArrayBE(qInv)
};
return RsaParams;
}
static void Main(string[] args)
{
BigInteger p = BigInteger.Parse("148896287039501678969147386479458178246000691707699594019852371996225136011987881033904404601666619814302065310828663028471342954821076961960815187788626496609581811628527023262215778397482476920164511192915070597893567835708908996890192512834283979142025668876250608381744928577381330716218105191496818716653");
BigInteger q = BigInteger.Parse("119975764355551220778509708561576785383941026741388506773912560292606151764383332427604710071170171329268379604135341015979284377183953677973647259809025842247294479469402755370769383988530082830904396657573472653613365794770434467132057189606171325505138499276437937752474437953713231209677228298628994462467");
BigInteger e = new BigInteger(17);
RSAParameters RsaParams = CalculateRsaParameters(p, q, e);
var Rsa = new RSACryptoServiceProvider();
Rsa.ImportParameters(RsaParams);
}
}
来源:https://stackoverflow.com/questions/14576424/how-do-i-use-rsacryptoserviceprovider-to-decrypt-given-that-i-only-have-p-q-d