Question about RSA encrypt/decrypt
in [Cryptography]
|
From: kevin.tambascio@gmail.com on 12 Apr 2006 18:10 I've been evaluating the use of the BigDigits library, versus OpenSSL for their RSA implementation. I am using 1024-bit RSA keys. Should the cipher data size always equal the length of the key? For instance, if I want to compute a digital signature, and encrypt the hash (20 bytes) of the contents, will the resulting data always be 128 bytes? I haven't had much luck finding information about how cipher data length correlates to the key length. I'm fairly new to RSA in general, so I'd appreciate any links, info, etc. Regards, Kevin
From: Paul Rubin on 12 Apr 2006 18:28 "kevin.tambascio(a)gmail.com" <kevin.tambascio(a)gmail.com> writes: > I've been evaluating the use of the BigDigits library, versus OpenSSL > for their RSA implementation. I am using 1024-bit RSA keys. Should > the cipher data size always equal the length of the key? For instance, > if I want to compute a digital signature, and encrypt the hash (20 > bytes) of the contents, will the resulting data always be 128 bytes? I > haven't had much luck finding information about how cipher data length > correlates to the key length. I'm fairly new to RSA in general, so I'd > appreciate any links, info, etc. The ciphertext is the same length as the modulus, 128 bytes in this case. Is this an educational project or something for actual deployment? If it's for education, you need to read up on RSA padding schemes; "PKCS #1" might be a reasonable place to start. If it's for deployment, you should not be using this approach of starting from raw RSA, but rather, use a package that follows an appropriate standard. Your best bet is probably to get someone already knowledgeable to handle the implementation side. There's a lot of ways to make errors with this stuff.
From: Joseph Ashwood on 12 Apr 2006 21:17 <kevin.tambascio(a)gmail.com> wrote in message news:1144879806.986853.225520(a)v46g2000cwv.googlegroups.com... > I've been evaluating the use of the BigDigits library, versus OpenSSL > for their RSA implementation. I am using 1024-bit RSA keys. Should > the cipher data size always equal the length of the key? With reasonable assurance yes. In theory there is approximately a 50% chance it will can be trimmed to 1 bit shorter, 25% chance of 2 bits, 1/8 chance of 3, ..... 1/2^k chance of k bits shorter. Basically you need to accomodate this in your code, but it won't happen. > I > haven't had much luck finding information about how cipher data length > correlates to the key length. With RSA it is security critical to have the input no less than a few bits shorter than the input. This is done a number of ways, a quick Google for OAEP (encryption) and PSS (signature) will give you two of the best. As Paul pointed out you will probably also want to read the PKCS specifications, they are very good for presenting a standard. > I'm fairly new to RSA in general, so I'd > appreciate any links, info, etc. We've all been there, but trust us on this, if this is for you to play around with have fun, if this is for use by others you need a crypto heavy on your side. You will make mistakes, we've all made them, a good cryptanalyst on your side will help you fix the mistakes before anyone else sees them. Joe
From: Unruh on 13 Apr 2006 10:26 "kevin.tambascio(a)gmail.com" <kevin.tambascio(a)gmail.com> writes: >I've been evaluating the use of the BigDigits library, versus OpenSSL >for their RSA implementation. I am using 1024-bit RSA keys. Should >the cipher data size always equal the length of the key? For instance, >if I want to compute a digital signature, and encrypt the hash (20 >bytes) of the contents, will the resulting data always be 128 bytes? I Yes. However if you encrypt 20 bytes with RSA and the encryption is less than 1024 bits (eg 60 bytes), then the encryption is very very very very weak. Ie, it can be reversed in microseconds. That is why one of the rules of using RSA is that all data MUST be padded so that its length equals at least 1023 bits. (The data must be less than N, the modulus, but should be only slightly less and in all cases must be greater-- prefereably significantly greater than N^(1/e)-- ie length greater than L(N)/e) where e is the public key power) >haven't had much luck finding information about how cipher data length >correlates to the key length. I'm fairly new to RSA in general, so I'd >appreciate any links, info, etc. All data MUST have a length significantly greater than Length(modulus)/e. If your e is 3 and you use a 1024 bit key, then the length of the text must be greater than 342 bits, or 43 bytes-- prefereably much greater, (but less than 1024 bits or 256 bytes). >Regards, >Kevin
From: kevin.tambascio@gmail.com on 13 Apr 2006 12:40
The result we are seeing, is that once in a while the resulting cipher data length is 127 bytes, using OpenSSL's RSA encrypt routine. Most of the time, we are seeing 128 bytes as the length of the cipher data. The plain data is 20 bytes, it is a SHA-1 hash of another piece of data. Our e is currently 65536 (0x10001), which is what OpenSSL currently uses. |