2014年从msn space存档中重新恢复出来！

以下内容摘自bouncycastle的邮件列表中针对某人问题的回复，对于理解PGP的基本概念有所帮助，故此摘录如下，以备参考。

If I'm saying anything basic that you already know, please forgive me. I mean no offense; I'm just not sure what level to start from. You mentioned a five digit PIN number and a certificate. It sounds like you need to encrypt the PIN number so you can send it across the network, and some other party can read it? Allow me to offer a few basics. DES and Triple-DES ("3DES" or "DESede") are "symmetric cipher algorithms." This means they use the same key to encrypt and to decrypt. This key is usually called a "secret key". DES keys are 8 bytes long (64 bits, of which 8 are parity). Triple-DES keys are 24 bytes long (192 bits of key, 24 bits of parity). Also, DES and 3DES are "block cipher" algorithms. That is, they work on blocks of data. The block size for DES and 3DES is 64 bits, or 8 bytes. By comparison, RSA is a "public key" algorithm. That is, RSA actually uses a key pair. There is a "public key" and a matching "private key." The public key is usually distributed inside an X.509 certificate, though this is not strictly required. As the name suggests, the private key is never distributed. These days, RSA keys are typically 1024 bits long, or 128 bytes. Using the default algorithm, an RSA key can be used to encrypt up to N-11 bytes of data, where N is the key length in bytes. Normally, one does not encrypt data directly with an RSA key. Instead, one creates a one-time-use random key for a symmetric cipher. (For instance, one might generate 24 bytes of random data for use as a 3DES key.) For convenience, let's call that key "Kmsg" (the "message" key). One would then encrypt the actual message data using this message key. Then, one encrypts Kmsg using the RSA public key of the intended message recipient. Finally, send the encrypted message and the encrypted Kmsg to the recipient. As a specific example, suppose Alice wants to send Bob an encrypted message. Let's say Alice decides to use DES. Alice generates Kmsg. Let's suppose Kmsg = 0x1234567812345678 (eight bytes). We'll call the message M. Alice applies DES to encrypt M with Kmsg: DES(M,Kmsg) Now, Alice encrypts Kmsg with Bob's public key: RSAPUB(Kmsg,Bob) Alice sends Bob both DES(M,Kmsg) and RSAPUB(Kmsg,Bob). Bob uses his private key: RSAPRIV (RSAPUB (Kmsg, Bob), Bob) == Kmsg. Then, Bob uses the recovered Kmsg to decrypt DES(M,Kmsg) and gets back M. One nice advantage of this scheme is that Alice can send the encrypted message to all of Bob, Carol, and David very simply. Alice simply sends: { DES(M,Kmsg), RSAPUB(Kmsg,Bob), RSAPUB(Kmsg,Carol), RSAPUB(Kmsg,David) } Each recipient uses the corresponding private key to decrypt one of the RSAPUBs and then decrypt the original message. In fact, this is how encrypted mail (S/MIME) works. Phew, now, back to your case. If you really have a five digit PIN, you can actually encrypt the PIN directly using RSA, or you can do what is described above. Hope this helps clarify matters some.

©王福强个人版权所有, All Rights Reserved.

Copyright © 王福强个人版权所有 - Since 2004