Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the limit to the amount of data that can be encrypted with RSA?

Typically it is recommended that RSA be used to encrypt a symmetric key, which is then used to encrypt the "payload".

What is the practical (or theoretical) limit to the amount of data that can be encrypted with RSA (I'm using a 2048 bit RSA keysize).

In particular, I'm wondering if it is safe to encrypt an RSA public key (256 bytes) with a (different) RSA public key? I'm using the Bouncy Castle crypto libraries in Java.

like image 602
sanity Avatar asked Apr 07 '11 15:04

sanity


People also ask

Why is RSA not suitable to encrypt large amounts of data?

Simply, RSA is very resource expensive algorithm, it takes time to generate RSA keys and to perform operations on these enormous prime numbers. As the size of data increases, the process load increases and the whole thing ends up taking too much time to complete.

Does RSA encryption increase data size?

Symmetric encryption does not increase the size of the data. The maximum asymmetric data size is 11 bytes less than the size of the key.

What is size of RSA key?

For RSA keys, the minimum size for clear RSA keys and secure RSA keys on the public key data set (PKDS) is 512 bits. The minimum size for secure RSA keys on the token key data set (TKDS) is 1024 bits and the size must be a multiple of 256.


1 Answers

For a n-bit RSA key, direct encryption (with PKCS#1 "old-style" padding) works for arbitrary binary messages up to floor(n/8)-11 bytes. In other words, for a 1024-bit RSA key (128 bytes), up to 117 bytes. With OAEP (the PKCS#1 "new-style" padding), this is a bit less: OAEP use a hash function with output length h bits; this implies a size limit of floor(n/8)-2*ceil(h/8)-2: still for a 1024-bit RSA key, with SHA-256 as hash function (h = 256), this means binary messages up to 60 bytes.

There is no problem in encrypting a RSA key with another RSA key (there is no problem in encrypting any sequence of bytes with RSA, whatever those bytes represent), but, of course, the "outer" RSA key will have to be bigger: with old-style padding, to encrypt a 256-byte message, you will need a RSA key with a modulus of at least 2136 bits.

Hybrid modes (you encrypt data with a random symmetric key and encrypt that symmetric key with RSA) are nonetheless recommended as a general case, if only because they do not have any practical size limits, and also because they make it easier to replace the RSA part with another key exchange algorithm (e.g. Diffie-Hellman).

like image 192
Thomas Pornin Avatar answered Sep 22 '22 09:09

Thomas Pornin