On Sat, Jul 10, 2010 at 12:13 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> > The general approach is to encrypt data using a symmetric cipher (e.g., > > AES-256) with a randomly-generated key, and then encrypt that symmetric > key > > with the RSA (public) key. > AES-256 requires a RSA modulus with an equivalent strength, which is a > 15360 (IIRC). If you choose RSA-1024 or RSA-2048, you are off by > orders of magnitude. You make it sound like the AES algorithm itself somehow imposes requirements on how its key can be protected. I would say it more like this: "A 256-bit AES key ought to be encrypted with an equivalent strength RSA key, 15360-bit, otherwise its resistance to attack is reduced to the strength of the RSA key." Or maybe like this: "If you choose a 2048-bit RSA key to protect the AES key, you might as well use AES-128, since AES-256 won't buy you any additional strength." Phillip