Re: RSACryptoServiceProvider questions

From: Thomas Pornin (pornin_at_nerim.net)
Date: 10/29/03 

Date: Wed, 29 Oct 2003 08:19:17 +0000 (UTC)

According to Daryn Kiely <anonymous@discussions.microsoft.com>:
> 1) Why is it that if I try to encrypt something that is
> longer than 117 bytes I get an cryptographic exception
> with an invalid length? My key is 1024 bits, so I would
> expect to be able to use a block size of 128 bytes (ok, I
> must be missing something here, but what????).

-- A RSA public key is a bit integer and the core algorithm handles
only inputs up to but not including that integer value. Therefore,
whatever happens, you cannot encrypt 128 arbitrary bytes with a
1024-bit RSA key; you are limited to 127 bytes and 7 bits.

-- The core RSA algorithm is a simple modular exponentiation but this
leads, in practical situations, to a number of security problems. Those
problems are solved by applying a correct "padding scheme" on the input
data, which uses a few input bytes. The standard padding scheme is
defined in PKCS#1 and uses 11 bytes (actually 10 bytes and the "partial
byte" at the upper end of the modulus), hence your figure of 117 bytes.
Newer versions of PKCS#1 include a new padding scheme called OAEP which
uses a few more bytes, but is believed to be even more secure (not that
the old scheme has been broken, but OAEP security has been "proven" [in
a sense which is not easily explained to the non-cryptographer]).

Besides, the encrypted text always has the size of the modulus, 128
bytes if the key is a 1024-bit key. With RSA you cannot have a
non-expanding encryption.

> 2) What does a Cryptograhic exception with the
> message "Bad Data" really mean? I have not been able to
> find any documentation anywhere and have been getting
> this regularly when trying to decrypt a message. I am
> just a little frustrated!!!

Upon decryption, the presence of the padding used for encryption is
verified. If that padding fails to be present, you get an error message.

I don't know what you are trying to do, but it suspiciously looks
like a home-made protocol with a few cryptographic algorithms thrown
it partly at random. Be advised that the design of a cryptographic
protocol is a very difficult task and home-made designs achieve almost
never a decent level of security. What I call a "protocol" is the
assembly of one or more algorithms into an implementable software
which provides some security functionality; for instance, the SSL
protocol uses several algorithms (RSA, 3DES, SHA-1...) and provides an
authenticated bi-directionnal channel for arbitrary data, and ensures
confidentiality and integrity of such data. If security matters for you
(and I expect it does, otherwise you would not try to use cryptographic
algorithms), you should stick to published protocols which have been
inspected and corected for several years by many experts in the field.

        --Thomas Pornin

Quantcast