Hello, > > * Philippe Stellwag wrote: > >> is it possible to change the OpenSSL RSA functions so that I can use > >> a different - may be a variable - block size. At the moment the block > >> size on the OpenSSL RSA functions depends on the length of the RSA > >> key pair and the kind of padding (following PKCS#1 v1.5, which means > >> 11 byte random data): > >> > >> key lenght block size available space > >> > >> 2024 bit 256 byte 245 byte > >> 1024 bit 128 byte 105 byte > >> 768 bit 96 byte 85 > >> > >> Normally, on symmetric encryption the block size _must_ be the same > >> as the key lenght. > > Not exactly, for example: > > AES128: key: 16bytes, block: 16bytes > > AES192: key: 24bytes, block: 16bytes > > AES256: key: 32bytes, block: 16bytes > > DES3 : key: 24bytes, block: 8bytes > > and of course des which has key_len == block_len: > > DES : key: 8bytes, block: 8bytes > Okay, thanks for that correction! > >> But on asymmetric encryption methods - I think - > >> the block size not depends on that restriction, or is there another > >> point, which forces such a fixed block size? > > Amount of data which may be encrypted with RSA depends on algorithm. > > If you have private key (d,n) and public key (e,n) where n=p*q, > > where p and q are prime numbers. > > Encryption of plain P: > > C = P^e mod n > > Decryption of cipher C: > > P = C^d mod n > > > > As you see, you get always result as number from 0 to n-1 (modulo > > operation) and n is RSA key size. > > To be more specific, RSA operation is performed inside multiplicative > > group. > Okay, that means that plain P (interpreted as an integer figure) must > be smaller than n, so that it is between the multiplicative group, > like the following example: > > n=3*5 > phi(n)=(3-1)*(5-1)=8 > e=3 > d=(4*8+1)/3=11 (4 is choosen by me => see Euler) > > P=2 (should work) > C=2^3 mod 15=8 > P=8^11 mod 15=2 (that's it) > > P=41 (not between the multiplicative group (because >15) and so not > unique => shouldn't work) > C=41^3 mod 15=11 > P=11^11 mod 15=(believe me (-:)=11 (not the same integer as 41, > but the same in the multiplicative group: 41 mod 15 = 11 mod 15) or 45 is in the equivalency class of 11
> But can I use e.g. a 1024 bit key pair with a block size of 116 > byte, that is not depending on the problem shown above, isn't it?! > What is the security reason, why not to do this? Of course you can, you can use even block size of 128 (but encoded number must be less than n). Padding is for proper "randomizing" data to guard against some cryptographic attacks such adaptive chosen-plaintext attack. But this depends on situation, in PKCS#1 when private key is used padding is not used for randomizing but rather to extend data to proper (key) length (additional space if filled with 0xff). When public key is used then padding randomizes clear text data (instead of 0xff - random, non zero, data is generated). In PKCS#1 first two bytes informs of key block: 0x0001 - private 0x0002 - public and this should be checked after RSA decrypt. This guards against next type of attack. But all this depends on your environment. There are many padding algorithms, not only PKCS#1, I think that there is possible to "randomize" for example 128 bytes plaintext and not extending length with some already known information. But of course this will not be compatible with existing systems. I read in some book about RSA-CBC scheme, I do not remember know if in this scheme padding is used or not. Or maybe you can send your data in two smaller RSA encrypted messages ? Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
