Re: newbie Q's about RSA, OAEP

From: Tom St Denis (tomstdenis_at_iahu.ca)
Date: 11/28/03 

Date: Fri, 28 Nov 2003 17:37:56 GMT

"Michael Amling" <nospam@nospam.com> wrote in message
news:tALxb.6146$aw2.2688715@newssrv26.news.prodigy.com...
> Dominic wrote:
> > I've found articles covering the maths behind these algorithms, but is
> > there anything which gives a good introduction to their practical use?
> >
> > Are there recommended minimum/maximum lengths for RSA keys?
>
> 1024-bit modulus is about the minimum these days. You could use 768
> for low-value messages. 16K-bit modulus is the largest I've heard of
> anyone using.

It really depends as you indicated. 1024-bits is a reasonable suggestion.
Though, unless you were dealing with a very slow [or loaded] device I would
just say use 2048-bit RSA keys and not worry about it [worry about the rest
of the sytem instead!].

No sense edging up the key lengths unless you really have to run the wire...

> > Is it safe (not necessarily efficient) to code long messages in RSA by
> > splitting it into blocks and coding each separately (as you would with
> > Rijndael). Are ECB, CBC modes applicable in that case?
>
> Standard procedure is that if the message doesn't fit into a single
> RSA block, you encrypt the message with a block cipher, and encrypt only
> the keys (the block cipher key, the MAC key, maybe the IV if there is
> one) with RSA.
> Maybe someone else can actually answer your question.

Normally you derive a MAC and cipher key from a master key [e.g. use a
hash]. There is no requirement to encode the IV [the MAC will provide
integrity anyways.

> > Is there an accepted scheme for indicating the length of the message?
>
> AFAIK, each protocol has its own way of indicating length.

Normally the MSB is padded with a 1 bit. The length of the message is the
length of the un-exptmoded integer.

Tom

Relevant Pages

  • Re: newbie Qs about RSA, OAEP
    ... > Are there recommended minimum/maximum lengths for RSA keys? ... RSA block, you encrypt the message with a block cipher, and encrypt only ... each protocol has its own way of indicating length. ...
    (sci.crypt)
  • Re: Encryption size
    ... >> You can't really tell if RSA is a block cipher or not. ... the underlying data representation. ... This doesn't hurt RSA, but it ...
    (comp.security.misc)
  • Re: Encryption size
    ... Ertugrul Soeylemez wrote: ... > You can't really tell if RSA is a block cipher or not. ... The only meaningful way to define RSA block size is the size of the modulus, ...
    (comp.security.misc)
  • Re: Java Sockets/bufferedIOstreams are full-duplex right?
    ... you'd get "a 42x space explosion". ... In SSL/TLS, ... To that data is appended a MAC (keyed checksum, ... the block size for the currently used block cipher (typically 16 bytes ...
    (comp.lang.java.programmer)
  • Re: curve25519 for authentication?
    ... use a MAC whose key has been set up by DH key agreement. ... an ECDL-based signature though, and if you already use static-static DH ... be faster then RSA, and require smaller keys to provide the same level ...
    (sci.crypt)