RSA是由三位数学家Rivest、Shamir 和 Adleman 发明的非对称加密算法,这种算法非常可靠,秘钥越长,就越难破解。
目前被破解的最长RSA秘钥是768个二进制位,长度超过768位的秘钥还无法破解,但随着计算能力的增强,以后被破解到多少位还是未知数。就目前而言,1024位的秘钥属于基本安全,2048位的秘钥属于极其安全。
RSA是一种非对称加密算法,也就是加密和解密使用的不是同一把秘钥:公钥加密-私钥解密、私钥加密-公钥解密。
RSA算法在计算机网络中被普遍应用,如:https、ssh等。
该算法还可以实现应用许可证(license),有以下几个步骤:
-
甲方构建密钥对(公钥和私钥,公钥给对方,私钥留给自己)。
-
甲方使用私钥加密许可证,然后用私钥对加密的许可证进行签名,并把这些发送给乙方。
-
乙方使用公钥、签名来验证待解密许可证是否有效(许可的来源是否有效、许可的内容是否被篡改),如果有效使用公钥对许可证解密。
-
乙方使用公钥加密数据,向甲方发送经过加密后的数据;甲方获得加密数据,通过私钥解密。
注意:RSA加密要求明文最大长度117字节,解密要求密文最大长度为秘钥长度除以8(1024位秘钥 / 8 = 128,2048位秘钥 / 8 = 256),所以在加密和解密的过程中需要分块进行。
Java实现RSA:
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import javax.crypto.Cipher;
import java.io.ByteArrayOutputStream;
import java.security.*;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
public class RSAUtil {
private static final String KEY_ALGORITHM = "RSA"; //加密算法RSA
private static final String SIGNATURE_ALGORITHM = "MD5withRSA"; //签名算法
//RSA本身的限制:最大加密明文大小 = 117
private static final int MAX_ENCRYPT_BLOCK = 117;
//RSA本身的限制:最大解密密文大小 = keySize / 8 = 128 或 256
private static int MAX_DECRYPT_BLOCK = 128;
private enum KeyType {
PUBLIC_KEY, PRIVATE_KEY
}
/**
* 指定字符串生成密钥对(公钥和私钥)
*
* @param randomKey 加密的密码
* @param keySize 秘钥的长度:1024 或 2048
* @return
* @throws Exception
*/
public static Map<KeyType, Object> genKeyPair(String randomKey, int keySize) throws Exception {
MAX_DECRYPT_BLOCK = keySize / 8;
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance(KEY_ALGORITHM);
if (StringUtils.isBlank(randomKey)) { //不指定密码
keyPairGen.initialize(keySize);
} else { //指定密码
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.setSeed(randomKey.getBytes());
keyPairGen.initialize(keySize, random);
}
KeyPair keyPair = keyPairGen.generateKeyPair();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
Map<KeyType, Object> keyMap = new HashMap<>(2);
keyMap.put(KeyType.PUBLIC_KEY, publicKey);
keyMap.put(KeyType.PRIVATE_KEY, privateKey);
return keyMap;
}
/**
* 用私钥对数据生成数字签名
*
* @param data 已加密数据
* @param privateKey 私钥(BASE64编码)
* @return
* @throws Exception
*/
public static String sign(byte[] data, String privateKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(privateKey);
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
PrivateKey privateK = keyFactory.generatePrivate(pkcs8KeySpec);
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initSign(privateK);
signature.update(data);
return Base64.encodeBase64String(signature.sign());
}
/**
* 用公钥校验数字签名
*
* @param data 已加密数据
* @param publicKey 公钥(BASE64编码)
* @param sign 数字签名
* @return
* @throws Exception
*/
public static boolean verify(byte[] data, String publicKey, String sign) throws Exception {
byte[] keyBytes = Base64.decodeBase64(publicKey);
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
PublicKey publicK = keyFactory.generatePublic(keySpec);
Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
signature.initVerify(publicK);
signature.update(data);
return signature.verify(Base64.decodeBase64(sign));
}
/**
* 私钥加密
*
* @param data 数据
* @param privateKey 私钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] encryptByPrivateKey(byte[] data, String privateKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(privateKey);
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key privateK = keyFactory.generatePrivate(pkcs8KeySpec);
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm()); //获取算法
cipher.init(Cipher.ENCRYPT_MODE, privateK); //设置加密模式,并指定私钥
// 对数据分段加密
int inputLen = data.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] buffer;
int i = 0;
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_ENCRYPT_BLOCK) {
buffer = cipher.doFinal(data, offSet, MAX_ENCRYPT_BLOCK);
} else {
buffer = cipher.doFinal(data, offSet, inputLen - offSet);
}
out.write(buffer, 0, buffer.length);
i++;
offSet = i * MAX_ENCRYPT_BLOCK;
}
byte[] encryptedData = out.toByteArray();
out.close();
return encryptedData;
}
/**
* 私钥解密
*
* @param encryptedData 已加密数据
* @param privateKey 私钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] decryptByPrivateKey(byte[] encryptedData, String privateKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(privateKey);
PKCS8EncodedKeySpec pkcs8KeySpec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key privateK = keyFactory.generatePrivate(pkcs8KeySpec);
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm()); //获取算法
cipher.init(Cipher.DECRYPT_MODE, privateK); //设置解密模式,并指定私钥
// 对数据分段解密
int inputLen = encryptedData.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] buffer;
int i = 0;
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_DECRYPT_BLOCK) {
buffer = cipher.doFinal(encryptedData, offSet, MAX_DECRYPT_BLOCK);
} else {
buffer = cipher.doFinal(encryptedData, offSet, inputLen - offSet);
}
out.write(buffer, 0, buffer.length);
i++;
offSet = i * MAX_DECRYPT_BLOCK;
}
byte[] decryptedData = out.toByteArray();
out.close();
return decryptedData;
}
/**
* 公钥加密
*
* @param data 数据
* @param publicKey 公钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] encryptByPublicKey(byte[] data, String publicKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(publicKey);
X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key publicK = keyFactory.generatePublic(x509KeySpec);
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm()); //获取算法
cipher.init(Cipher.ENCRYPT_MODE, publicK); //设置加密模式,并指定公钥
// 对数据分段加密
int inputLen = data.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] buffer;
int i = 0;
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_ENCRYPT_BLOCK) {
buffer = cipher.doFinal(data, offSet, MAX_ENCRYPT_BLOCK);
} else {
buffer = cipher.doFinal(data, offSet, inputLen - offSet);
}
out.write(buffer, 0, buffer.length);
i++;
offSet = i * MAX_ENCRYPT_BLOCK;
}
byte[] encryptedData = out.toByteArray();
out.close();
return encryptedData;
}
/**
* 公钥解密
*
* @param encryptedData 已加密数据
* @param publicKey 公钥(BASE64编码)
* @return
* @throws Exception
*/
public static byte[] decryptByPublicKey(byte[] encryptedData, String publicKey) throws Exception {
byte[] keyBytes = Base64.decodeBase64(publicKey);
X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);
KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
Key publicK = keyFactory.generatePublic(x509KeySpec);
Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm()); //获取算法
cipher.init(Cipher.DECRYPT_MODE, publicK); //设置解密模式,并指定公钥
// 对数据分段解密
int inputLen = encryptedData.length;
ByteArrayOutputStream out = new ByteArrayOutputStream();
int offSet = 0;
byte[] buffer;
int i = 0;
while (inputLen - offSet > 0) {
if (inputLen - offSet > MAX_DECRYPT_BLOCK) {
buffer = cipher.doFinal(encryptedData, offSet, MAX_DECRYPT_BLOCK);
} else {
buffer = cipher.doFinal(encryptedData, offSet, inputLen - offSet);
}
out.write(buffer, 0, buffer.length);
i++;
offSet = i * MAX_DECRYPT_BLOCK;
}
byte[] decryptedData = out.toByteArray();
out.close();
return decryptedData;
}
/**
* 获取私钥
*
* @param keyMap
* @return
* @throws Exception
*/
public static String getPrivateKey(Map<KeyType, Object> keyMap) {
Key key = (Key) keyMap.get(KeyType.PRIVATE_KEY);
return Base64.encodeBase64String(key.getEncoded());
}
/**
* 获取公钥
*
* @param keyMap
* @return
* @throws Exception
*/
public static String getPublicKey(Map<KeyType, Object> keyMap) throws Exception {
Key key = (Key) keyMap.get(KeyType.PUBLIC_KEY);
return Base64.encodeBase64String(key.getEncoded());
}
public static void main(String[] args) throws Exception {
String password = "123456"; //加解密的密码
int keySize = 2048; //秘钥的长度:1024 或 2048
Map<KeyType, Object> keyMap = RSAUtil.genKeyPair(password, keySize);
String publicKey = RSAUtil.getPublicKey(keyMap);
String privateKey = RSAUtil.getPrivateKey(keyMap);
System.out.println("publicKey : " + publicKey);
System.out.println("privateKey : " + privateKey);
System.out.println();
System.out.println("公钥加密 -- 私钥解密");
String data = "RSA 非对称加密算法:公钥加密 -- 私钥解密";
System.out.println("明文 :" + data);
byte[] encryptData = RSAUtil.encryptByPublicKey(data.getBytes(), publicKey);
System.out.println("公钥加密 :" + Hex.encodeHexString(encryptData));
byte[] decryptData = RSAUtil.decryptByPrivateKey(encryptData, privateKey);
System.out.println("私钥解密 :" + new String(decryptData));
System.out.println();
System.out.println("私钥加密 -- 公钥解密");
String data2 = "RSA 非对称加密算法:私钥加密 -- 公钥解密";
System.out.println("明文 :" + data2);
byte[] encryptData2 = RSAUtil.encryptByPrivateKey(data2.getBytes(), privateKey);
System.out.println("私钥加密 :" + Hex.encodeHexString(encryptData2));
byte[] decryptData2 = RSAUtil.decryptByPublicKey(encryptData2, publicKey);
System.out.println("公钥解密 :" + new String(decryptData2));
System.out.println();
System.out.println("私钥签名 -- 公钥验证签名");
String sign = RSAUtil.sign(encryptData2, privateKey);
System.out.println("私钥签名 :" + sign);
boolean status = RSAUtil.verify(encryptData2, publicKey, sign);
System.out.println("公钥验证签名 :" + status);
}
}