How can I create a key using RSA/ECB/PKCS1Padding in python?

Question

I am struggling to find any method of using RSA in ECB mode with PKCS1 padding in python. I've looked into pyCrypto, but they don't have PKCS1 padding in the master branch (but do in a patch). Nevertheless I found RSA with PKCS1 in the M2Crypto package, but I'm not sure if I can choose ECB mode...

Answer 1

Chaining mode such as ECB makes no sense for RSA, unless you are doing it wrong.

ECB is for block ciphers: the input data is split into equal-size blocks, and each block is encrypted separately. This induces some weaknesses so ECB mode is best avoided for block ciphers.

RSA is not a block cipher. In particular, RSA necessarily enlarges the encrypted message: with a 1024-bit RSA key (a fairly typical size), one can encrypt a message up to 117 bytes, but the result is a 128-byte value.

One could imagine taking a larger message, split it into individual blocks of length 117 bytes (or less) and RSA-encrypt each of them individually, but nobody ever does that, mostly because of the size increase, and the CPU cost. Also, security issues related to that splitting and recombining are not studied at all, so it is quite possible that the result would be quite weak. Usually, when a cryptographic library requires a padding mode as part of an algorithm name, such as in "RSA/ECB/PKCS1Padding", this is only due to the syntaxic constraints on the name, and the chaining part (ECB) is actually ignored (this is what Java does, for instance).

In practice, when encrypting some data which may be larger than the maximum RSA input size, hybrid encryption is used: what is RSA-encrypted is a random symmetric key (e.g. a bunch of 16 uniformly random bytes), and that key is used to symmetrically encrypt (e.g. with AES) the actual data. This is more space-effective (because symmetric encryption does not enlarge blocks) and CPU-efficient (symmetric encryption is vastly faster than asymmetric encryption, and in particular RSA decryption).