RE: max length to encrypt
Chuck Pareto wrote: > I'm not sure what you mean by "shouldn't be using public-key > encryption", why? Because you don't understand its properties, so there's no way you can know whether or not it meets your security requirements. > It seems like .Net sets up a nice class that is easily > implemented, all I need is the key and the exponent and I can > encrypt and decrypt when needed. Right, except you don't get any security. > I don't think I really have a choice about what to use, I recently > started in a group that has a public and private key they are using > to encrypt and then decrypt strings of data. Which is fine if, for example, those strings of data are randomly-chosen keys for a symmetric cipher. It is, however, not fine if those strings are messages. > I don't think I can change that. What would be the advantages of doing > what you suggest and using symmetric encryption to encrypt and PK > encryption for encrypting the key? The advantage would be that if you have reasonable security objectives, there's a good chance the algorithm would meet them. Numerous attacks against RSA are known -- RSA is just an algorithm, it is not a scheme -- and you need a well-designed cryptographic scheme to meet actual security requirements. http://crypto.stanford.edu/~dabo/abstracts/RSAattack-survey.html > I don't think we have a symmetric key because we are using RSA with > a public and private key. That's a non-sequiter. The public and private key could be being used to encipher and decipher the symmetric key. This is the normal approach. > If you think your approach is better please let me know and I will > discuss it with my group and see if we can make a change. If your group includes a security expert, this kind of stuff would already be done. If it doesn't, the likelihood of this making things any better isn't really all that great. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: max length to encrypt
Hi Phillip, I'm not sure what you mean by "shouldn't be using public-key encryption", why? It seems like .Net sets up a nice class that is easily implemented, all I need is the key and the exponent and I can encrypt and decrypt when needed. I don't think I really have a choice about what to use, I recently started in a group that has a public and private key they are using to encrypt and then decrypt strings of data. I don't think I can change that. What would be the advantages of doing what you suggest and using symmetric encryption to encrypt and PK encryption for encrypting the key? I don't think we have a symmetric key because we are using RSA with a public and private key.If you think your approach is better please let me know and I will discuss it with my group and see if we can make a change. I think we are using PKCS1 because the max length is 256 - 11 On Wed, Jun 2, 2010 at 5:15 AM, Phillip Hellewell wrote: > On Thu, May 27, 2010 at 2:20 PM, Chuck Pareto > wrote: > > Hi, > > I'm still unsure as to the max length string I can use to encrypt. I'm > using > > the rsacrypto class in .net to encrypt. > > I know I can't pass in a string that's 256 bytes long or greater because > > there us an exception that gets thrown. But as I work my way back in > length > > I still get exceptions with string lengths smaller than 256. > > If it's using PKCS1 padding (most common), then the max length is 11 > bytes less than the key size, so 256-11. > > But like David said, you shouldn't be using public-key encryption > directly unless you know what you're doing. The normal approach is to > use symmetric encryption (e.g., AES) to encrypt the data, and PK > encryption for encrypting the symmetric key. > > Phillip > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: max length to encrypt
On Thu, May 27, 2010 at 2:20 PM, Chuck Pareto wrote: > Hi, > I'm still unsure as to the max length string I can use to encrypt. I'm using > the rsacrypto class in .net to encrypt. > I know I can't pass in a string that's 256 bytes long or greater because > there us an exception that gets thrown. But as I work my way back in length > I still get exceptions with string lengths smaller than 256. If it's using PKCS1 padding (most common), then the max length is 11 bytes less than the key size, so 256-11. But like David said, you shouldn't be using public-key encryption directly unless you know what you're doing. The normal approach is to use symmetric encryption (e.g., AES) to encrypt the data, and PK encryption for encrypting the symmetric key. Phillip __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: max length to encrypt: direct RSA
> From: owner-openssl-us...@openssl.org On Behalf Of Chuck Pareto > Sent: Thursday, 27 May, 2010 16:20 > I'm still unsure as to the max length string I can use to > encrypt. I'm > using the rsacrypto class in .net to encrypt. > I know I can't pass in a string that's 256 bytes long or greater > because there us an exception that gets thrown. But as I work my way > back in length I still get exceptions with string lengths > smaller than > 256. > > On May 26, 2010, at 4:56 PM, "David Schwartz" > wrote: > > > > > Chuck Pareto wrote: > > > >> if my public key is 256 bytes long, what is the max length > >> of the string I can use to encrypt? Is it 256? > > As I said in a previous message: Note: directly encrypting data (strings or other) with RSA is limited to somewhat less than the "key size" (more exactly, the modulus size). For a typical 1024-bit modulus this is about 100 bytes or maybe less. Expanding on this: The exact amount subtracted from the raw key size depends on the overhead or 'padding' added by the encryption scheme. The two common schemes for RSA encryption are PKCS1 and OAEP (this terminology is historical and now inaccurate, because PKCS1 version 2 actually includes OAEP too, but that's what everyone understands; pedants say PKCS1v1.5). If you don't specify otherwise, you're likely using PKCS1, which is/was the historical 'least common denominator', and takes 11 bytes*. As I and David Schwartz noted, directly encrypting data with RSA (and decrypting) is not usual practice, because most people have found that these random-looking limits on data size are unacceptable. I have no idea what your programming experience is, but in 30+ years I have found that whenever people promise solemnly on a stack of Bibles "we will never need more than X data", they ALMOST ALWAYS DO. * Technically octets because technically bytes aren't always 8 bits, but for most people and all mainstream app systems today they are. Definitely for any Windows, and I presume other dotnet i.e. mono. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: max length to encrypt
Hi, I'm still unsure as to the max length string I can use to encrypt. I'm using the rsacrypto class in .net to encrypt. I know I can't pass in a string that's 256 bytes long or greater because there us an exception that gets thrown. But as I work my way back in length I still get exceptions with string lengths smaller than 256. On May 26, 2010, at 4:56 PM, "David Schwartz" wrote: Chuck Pareto wrote: if my public key is 256 bytes long, what is the max length of the string I can use to encrypt? Is it 256? If the output is exactly 256 bytes, there are (in theory) 2^(256*8) possible outputs. That means there can be at most 2^(256*8) possible inputs. There are more than 2^(256*8) possible input strings of 256 bytes or less (since there are that many strings just of exactly 256 bytes). So there's no way it can possibly take all input strings of 256 bytes or less. In any event, unless you know exactly what you are doing, you should not be using PK algorithms directly. There are *way* too many gotchas. Use a system that includes the PK algorithm you. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: max length to encrypt
Chuck Pareto wrote: > if my public key is 256 bytes long, what is the max length > of the string I can use to encrypt? Is it 256? If the output is exactly 256 bytes, there are (in theory) 2^(256*8) possible outputs. That means there can be at most 2^(256*8) possible inputs. There are more than 2^(256*8) possible input strings of 256 bytes or less (since there are that many strings just of exactly 256 bytes). So there's no way it can possibly take all input strings of 256 bytes or less. In any event, unless you know exactly what you are doing, you should not be using PK algorithms directly. There are *way* too many gotchas. Use a system that includes the PK algorithm you. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org