> From: [email protected] On Behalf Of Thulasi
> Sent: Tuesday, 17 May, 2011 06:26
> As you are planning to use symmetric encryption for payload,
> encrypted data length will be same as that of payload assuming
> your payload is properly padded.
And if you let EVP do PKCS5 padding, as it does by default
for CBC (and ECB but that's rarely a good mode to use),
ciphertext is up to one block longer than plaintext. For
Blowfish or 3DES (or 1DES!) block is 8 bytes, for AES 16.
If you use a stream mode no padding is needed and ciphertext
is same length as plaintext. OpenSSL provides only OFB and CFB,
which seem to have gone out of fashion although I don't know of
any real problems. CTR is fairly popular, and you can construct
it with a little work, but not as easy as just using EVP_*.
Or you can use a stream *cipher*, but RC4 is fraying some
and no newer one has been widely accepted, so I wouldn't.
(If you do, no IV is needed, at least not with random key.)
The OP (apparently) controls both ends, and hence can choose
any reasonable mode (and cipher) even if not popular.
In either/any case, the encrypted key (and IV) and encrypted data
are all binary. To put them in a URL, you need to encode them;
base64 is provided in OpenSSL and will make everything
just over a third bigger. Percent-encoding is also standard,
and may be provided in WWW client and/or server libraries,
but will usually expand more, worst case 3 times the size.
Or you can invent your own encoding, lots of people do,
but you can't do much better on average than base64.
> On 17 May 2011 14:54, G S <[email protected]> wrote:
<snip>
> 1. Generate a random key and initialization vector
> to encrypt the block of text.
With a random key you don't really need IV to be random,
but people generally do so because it fits the usual structure
better and might provide some 'belt and suspenders' redundancy.
> 2. Encrypt that random key with the RSA public key.
> 3. Encrypt the data payload with the random key and IV,
> using Blowfish or other encryption.
> 4. Send the encrypted data payload, encrypted random key,
> and IV to the server for decryption.
<snip>
> I assume a normal next step is to add the encrypted key, IV, and
> encrypted payload as parameters in the HTTP GET and unravel all this using
> appropriate functions (and the private RSA key) in PHP on the server.
Correct?
Yes. At least on the server; in PHP or otherwise I don't know.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
