[Botan-devel] Quick Tutorial Question

Rachel Blackman seattlesparks at mac.com
Wed Oct 5 14:09:54 EDT 2005


>> At first, I thought just using PK_Encryptor/PK_Decryptor and the
>> encrypt() or decrypt() functions as in the tutorials was the way to 
>> go.
>>  I'm thinking now that pipe might be better since I realized I don't
>> necessarily have a guarantee that the block I get will be the
>> appropriate size for an encryption session.
>
> Be careful about length issues here - a public key is only going to be 
> able to
> encrypt inputs smaller than a certain size. For example, RSA with 
> OAEP/SHA-1
> has 41 bytes of overhead, so you can only encrypt about (bitsize/8)-41 
> bytes at
> a time (so 86 or 87 bytes for a 1024 bit modulus). If you might end up 
> needing
> to encrypt longer inputs, you should probably look into using AES for 
> the
> actual encryption with an asymmetric key used for transporting the 
> key. You're
> really not supposed to encrypt data with RSA like this at all, but as 
> long as
> you're using a good padding method and can tolerate the short length 
> it's
> reasonably safe.

Yeah, I know.  To explain further, this isn't -- precisely -- a session 
thing.  It's more like rapid-fire PGP messages; sending a number of 
small, separate chunks of data encrypted with a known public key to the 
holder of the private key.

I suppose for the sake of standardization and future extensibility, I 
should be using AES -- it was what I was originally looking at doing -- 
but there weren't any good cross-platform solutions that didn't either 
have huuuuuuuge price tags attached, or require me to reinvent the 
wheel.  (And occasionally required me to invent stoneworking tools, 
fire, or even evolve sight first before I could even get /around/ to 
re-inventing the wheel.)

And since these are small rapid-fire one-way messages, not a two-way 
stream, using RSA or ElGamal seems a 'sufficient' solution, even if not 
an ideal one.

> As a side note, I really need to write some high level encryption 
> filters so
> people don't have to keep reinventing the wheel for this. :/

...see above. :)

> No, I don't think you are missing anything obvious, at least it 
> doesn't sound
> like it. Here is something I just threw together

Yeah, it was just VC++ being wonky.  I took my code over to my Mac, 
compiled under gcc, worked fine.  Went back and beat on VC7 until it 
coughed up a hairball and stopped doing that nasty stdafx stuff with 
the include files. :P




More information about the botan-devel mailing list