Re: max length to encrypt

2010-06-02 Thread Phillip Hellewell 
On Thu, May 27, 2010 at 2:20 PM, Chuck Pareto chuckda...@gmail.com wrote:
 Hi,
 I'm still unsure as to the max length string I can use to encrypt. I'm using
 the rsacrypto class in .net to encrypt.
 I know I can't pass in a string that's 256 bytes long or greater because
 there us an exception that gets thrown. But as I work my way back in length
 I still get exceptions with string lengths smaller than 256.

If it's using PKCS1 padding (most common), then the max length is 11
bytes less than the key size, so 256-11.

But like David said, you shouldn't be using public-key encryption
directly unless you know what you're doing.  The normal approach is to
use symmetric encryption (e.g., AES) to encrypt the data, and PK
encryption for encrypting the symmetric key.

Phillip
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: max length to encrypt

2010-06-02 Thread Chuck Pareto 
Hi Phillip,
I'm not sure what you mean by shouldn't be using public-key encryption,
why?
It seems like .Net sets up a nice class that is easily implemented, all I
need is the key and the exponent and I can encrypt and decrypt when needed.
I don't think I really have a choice about what to use, I recently started
in a group that has a public and private key they are using to encrypt and
then decrypt strings of data. I don't think I can change that. What would be
the advantages of doing what you suggest and using symmetric encryption to
encrypt and PK encryption for encrypting the key? I don't think we have a
symmetric key because we are using RSA with a public and private key.If you
think your approach is better please let me know and I will discuss it with
my group and see if we can make a change.

I think we are using PKCS1 because the max length is 256 - 11

On Wed, Jun 2, 2010 at 5:15 AM, Phillip Hellewell ssh...@gmail.com wrote:

 On Thu, May 27, 2010 at 2:20 PM, Chuck Pareto chuckda...@gmail.com
 wrote:
  Hi,
  I'm still unsure as to the max length string I can use to encrypt. I'm
 using
  the rsacrypto class in .net to encrypt.
  I know I can't pass in a string that's 256 bytes long or greater because
  there us an exception that gets thrown. But as I work my way back in
 length
  I still get exceptions with string lengths smaller than 256.

 If it's using PKCS1 padding (most common), then the max length is 11
 bytes less than the key size, so 256-11.

 But like David said, you shouldn't be using public-key encryption
 directly unless you know what you're doing.  The normal approach is to
 use symmetric encryption (e.g., AES) to encrypt the data, and PK
 encryption for encrypting the symmetric key.

 Phillip
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

RE: max length to encrypt

2010-06-02 Thread David Schwartz 

Chuck Pareto wrote:


 I'm not sure what you mean by shouldn't be using public-key
 encryption, why?

Because you don't understand its properties, so there's no way you can know
whether or not it meets your security requirements.

 It seems like .Net sets up a nice class that is easily
 implemented, all I need is the key and the exponent and I can
 encrypt and decrypt when needed.

Right, except you don't get any security.

 I don't think I really have a choice about what to use, I recently
 started in a group that has a public and private key they are using
 to encrypt and then decrypt strings of data.

Which is fine if, for example, those strings of data are randomly-chosen
keys for a symmetric cipher. It is, however, not fine if those strings are
messages.

 I don't think I can change that. What would be the advantages of doing
 what you suggest and using symmetric encryption to encrypt and PK
 encryption for encrypting the key?

The advantage would be that if you have reasonable security objectives,
there's a good chance the algorithm would meet them. Numerous attacks
against RSA are known -- RSA is just an algorithm, it is not a scheme -- and
you need a well-designed cryptographic scheme to meet actual security
requirements.

http://crypto.stanford.edu/~dabo/abstracts/RSAattack-survey.html


 I don't think we have a symmetric key because we are using RSA with
 a public and private key.

That's a non-sequiter. The public and private key could be being used to
encipher and decipher the symmetric key. This is the normal approach.

 If you think your approach is better please let me know and I will
 discuss it with my group and see if we can make a change.

If your group includes a security expert, this kind of stuff would already
be done. If it doesn't, the likelihood of this making things any better
isn't really all that great.

DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: max length to encrypt: direct RSA

2010-05-28 Thread Dave Thompson 
 From: owner-openssl-us...@openssl.org On Behalf Of Chuck Pareto
 Sent: Thursday, 27 May, 2010 16:20

 I'm still unsure as to the max length string I can use to 
 encrypt. I'm  
 using the rsacrypto class in .net to encrypt.
 I know I can't pass in a string that's 256 bytes long or greater  
 because there us an exception that gets thrown. But as I work my way  
 back in length I still get exceptions with string lengths 
 smaller than  
 256.
 
 On May 26, 2010, at 4:56 PM, David Schwartz dav...@webmaster.com  
 wrote:
 
 
  Chuck Pareto wrote:
 
  if my public key is 256 bytes long, what is the max length
  of the string I can use to encrypt? Is it 256?
 
snip

As I said in a previous message:
Note: directly encrypting data (strings or other) with RSA is limited 
to somewhat less than the key size (more exactly, the modulus size).
For a typical 1024-bit modulus this is about 100 bytes or maybe less.

Expanding on this:
The exact amount subtracted from the raw key size depends on the overhead 
or 'padding' added by the encryption scheme. The two common schemes for 
RSA encryption are PKCS1 and OAEP (this terminology is historical and 
now inaccurate, because PKCS1 version 2 actually includes OAEP too,
but that's what everyone understands; pedants say PKCS1v1.5). If you 
don't specify otherwise, you're likely using PKCS1, which is/was the 
historical 'least common denominator', and takes 11 bytes*.

As I and David Schwartz noted, directly encrypting data with RSA (and 
decrypting) is not usual practice, because most people have found 
that these random-looking limits on data size are unacceptable.
I have no idea what your programming experience is, but in 30+ years 
I have found that whenever people promise solemnly on a stack of Bibles 
we will never need more than X data, they ALMOST ALWAYS DO.

* Technically octets because technically bytes aren't always 8 bits, 
but for most people and all mainstream app systems today they are.
Definitely for any Windows, and I presume other dotnet i.e. mono.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: max length to encrypt

2010-05-27 Thread Chuck Pareto 

Hi,
I'm still unsure as to the max length string I can use to encrypt. I'm  
using the rsacrypto class in .net to encrypt.
I know I can't pass in a string that's 256 bytes long or greater  
because there us an exception that gets thrown. But as I work my way  
back in length I still get exceptions with string lengths smaller than  
256.


On May 26, 2010, at 4:56 PM, David Schwartz dav...@webmaster.com  
wrote:




Chuck Pareto wrote:


if my public key is 256 bytes long, what is the max length
of the string I can use to encrypt? Is it 256?


If the output is exactly 256 bytes, there are (in theory) 2^(256*8)  
possible
outputs. That means there can be at most 2^(256*8) possible inputs.   
There
are more than 2^(256*8) possible input strings of 256 bytes or less  
(since
there are that many strings just of exactly 256 bytes). So there's  
no way it

can possibly take all input strings of 256 bytes or less.

In any event, unless you know exactly what you are doing, you should  
not be
using PK algorithms directly. There are *way* too many gotchas. Use  
a system

that includes the PK algorithm you.

DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

max length to encrypt

2010-05-26 Thread Chuck Pareto 
if my public key is 256 bytes long, what is the max length of the string I
can use to encrypt? Is it 256?

RE: max length to encrypt

2010-05-26 Thread David Schwartz 

Chuck Pareto wrote:

 if my public key is 256 bytes long, what is the max length
 of the string I can use to encrypt? Is it 256?

If the output is exactly 256 bytes, there are (in theory) 2^(256*8) possible
outputs. That means there can be at most 2^(256*8) possible inputs.  There
are more than 2^(256*8) possible input strings of 256 bytes or less (since
there are that many strings just of exactly 256 bytes). So there's no way it
can possibly take all input strings of 256 bytes or less.

In any event, unless you know exactly what you are doing, you should not be
using PK algorithms directly. There are *way* too many gotchas. Use a system
that includes the PK algorithm you.

DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org