MultiPrime

encrypt is usually 8, 16, or (for BER-encoded digests) 34 or 35. If you want to encrypt and decrypt more than k – 11 bytes, use raw RSA encryption and decryption.

Note: In general, there should be no need for raw RSA encryption or decryption. For most applications, if you have a longer message, it is faster and simpler to encrypt the message with a symmetric algorithm and then use the RSA algorithm to encrypt the key. (See “Digital Envelopes” on page 55.)

If you do use raw RSA encryption and decryption, your application must be responsible for adding and removing the necessary padding. We do not recommend using raw RSA encryption and decryption, unless you are familiar with the issues involved.

To encrypt more bytes than the PKCS AIs allow, use AI_RSAPublic for encryption and and AI_RSAPrivate for decryption. Note that this is different from the recommended use for these AIs, as described in the Reference Manual. There are two important constraints to consider when using these AIs:

The total length of the data must be a multiple of the modulus size.

If your data’s length is not a multiple of the modulus size, your application must do the padding. When decrypting with raw RSA encryption and decryption, Crypto-C will not strip the padding; the application must do that.

The data must be numerically less than the modulus.

To do this, divide your data into blocks that are one byte smaller than the modulus. Prepend one byte of 0 to each block. If the leading byte of the data is 0, your data will meet this second constraint.

For example, suppose you wanted to encrypt 100 bytes with the RSA algorithm using a 512-bit modulus. You break the data into two blocks, the first one 63 bytes, the second 37. Next, prepend a 0 byte to the first block and it is now 64 bytes (512 bits). Then, prepend a 0 byte and append 26 pad bytes to the second block and it, too is now 64 bytes. Finally, call B_EncryptUpdate for each of the two blocks, then B_EncryptFinal. This will produce 128 bytes of encrypted data.

When decrypting, first call B_DecryptUpdate once for all 128 bytes; then

B_DecryptFinal. The application will have to then strip the prepended zeroes and the padding. You could also break the encrypted data into 64-byte blocks and call B_DecryptUpdate for each block and strip the padding then.

Some padding procedures are recommended; others are discouraged. For a description of one particular trusted padding system, see PKCS V1 [1].

2 3 2

R S A B S A F E C r y p t o - C D e v e l o p e r ’s G u i d e

Page 254
Image 254
RSA Security 5.2.2 manual MultiPrime