For an-bit RSA key, direct encryption (withPKCS#1"old-style" padding) works for arbitrary binary messages up tofloor(n/8)-11bytes. In other words, for a 1024-bit RSA key (128 bytes), up to 117 bytes. With OAEP (the PKCS#1 "new-style" padding), this is a bit less: OAEP use a hash function with output lengthhbits; this implies a size limit offloor(n/8)-2*ceil(h/8)-2: still for a 1024-bit RSA key, with SHA-256 as hash function (h = 256), this means binary messages up to 60 bytes.
There is no problem in encrypting a RSA key with another RSA key (there is no problem in encryptinganysequence of bytes with RSA, whatever those bytes represent), but, of course, the "outer" RSA key will have to be bigger: with old-style padding, to encrypt a 256-byte message, you will need a RSA key with a modulus of at least 2136 bits.
Hybrid modes (you encrypt a random symmetric key with RSA, and then use that key for symmetric encryption) are nonetheless recommended as a general case, if only because they do not have any practical size limits, and also because they make it easier to replace the RSA part with another key exchange algorithm (e.g. Diffie-Hellman).
扫一扫
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
