Re: newbie Q's about RSA, OAEP

From: Tom St Denis (tomstdenis_at_iahu.ca)
Date: 11/28/03 

Date: Fri, 28 Nov 2003 17:37:56 GMT

"Michael Amling" <nospam@nospam.com> wrote in message
news:tALxb.6146$aw2.2688715@newssrv26.news.prodigy.com...
> Dominic wrote:
> > I've found articles covering the maths behind these algorithms, but is
> > there anything which gives a good introduction to their practical use?
> >
> > Are there recommended minimum/maximum lengths for RSA keys?
>
> 1024-bit modulus is about the minimum these days. You could use 768
> for low-value messages. 16K-bit modulus is the largest I've heard of
> anyone using.

It really depends as you indicated. 1024-bits is a reasonable suggestion.
Though, unless you were dealing with a very slow [or loaded] device I would
just say use 2048-bit RSA keys and not worry about it [worry about the rest
of the sytem instead!].

No sense edging up the key lengths unless you really have to run the wire...

> > Is it safe (not necessarily efficient) to code long messages in RSA by
> > splitting it into blocks and coding each separately (as you would with
> > Rijndael). Are ECB, CBC modes applicable in that case?
>
> Standard procedure is that if the message doesn't fit into a single
> RSA block, you encrypt the message with a block cipher, and encrypt only
> the keys (the block cipher key, the MAC key, maybe the IV if there is
> one) with RSA.
> Maybe someone else can actually answer your question.

Normally you derive a MAC and cipher key from a master key [e.g. use a
hash]. There is no requirement to encode the IV [the MAC will provide
integrity anyways.

> > Is there an accepted scheme for indicating the length of the message?
>
> AFAIK, each protocol has its own way of indicating length.

Normally the MSB is padded with a 1 bit. The length of the message is the
length of the un-exptmoded integer.

Tom

Relevant Pages

  • Re: newbie Qs about RSA, OAEP
    ... > Are there recommended minimum/maximum lengths for RSA keys? ... RSA block, you encrypt the message with a block cipher, and encrypt only ... each protocol has its own way of indicating length. ...
    (sci.crypt)
  • Re: Encryption size
    ... >> You can't really tell if RSA is a block cipher or not. ... the underlying data representation. ... This doesn't hurt RSA, but it ...
    (comp.security.misc)
  • Re: Encryption size
    ... Ertugrul Soeylemez wrote: ... > You can't really tell if RSA is a block cipher or not. ... The only meaningful way to define RSA block size is the size of the modulus, ...
    (comp.security.misc)
  • Re: curve25519 for authentication?
    ... use a MAC whose key has been set up by DH key agreement. ... an ECDL-based signature though, and if you already use static-static DH ... be faster then RSA, and require smaller keys to provide the same level ...
    (sci.crypt)
  • Re: libtomcrypt vs. libgcrypt
    ... A quick search revealed two immediate candidates: ... MACs: HMAC, CMAC, ANSI X9.19 MAC ... To go with the idiot advice that has been posted to you, you might ask zzz to let you know which ones are broken, and to what extent or which needs restricted parameters - eg RC-2 has a key schedule redundancy that speeds brute force searches for keys, RSA is insecure unless you adopt proper padding and RIPEMD-128 is too small for security ...
    (sci.crypt)