RSA Security 5.2.2 manual Digital Envelopes, Optimal Asymmetric Encryption Padding Oaep

Cryptography Overview

However, for very large numbers, factoring is very difficult. The RSA Laboratories publication, Frequently Asked Questions About Today’s Cryptography (the FAQ), describes the state of the art in factoring. Factoring numbers takes a certain number of steps, and the number of steps increases exponentially as the size of the number increases. Even on supercomputers, the time to execute all the steps is so great that for large numbers it could take years to compute. Within a short period of time, the current threshold of general numbers that can be factored will probably rise to 155 digits, approximately the size of a 512-bit RSA modulus. Currently, the limit to the size of an RSA modulus in Crypto-C is 2048 bits.

Digital Envelopes

A digital envelope is a way of combining the advantages of symmetric-key and public- key cryptography. In general, public-key algorithms are slower than symmetric-key ciphers, and for some applications may be too slow to be of practical use, while for symmetric-key ciphers, there is the problem of transmitting the key. A digital envelope provides a solution to this dilemma. The sender encrypts the message using a symmetric-key encryption algorithm, then encrypts the symmetric key using the recipient’s public key. The recipient then decrypts the symmetric key using the appropriate private key and decrypts the message with the symmetric key. In this way, a fast encryption method processes large amounts of data, yet secret information is never transmitted unencrypted.

Optimal Asymmetric Encryption Padding (OAEP)

Optimal Asymmetric Encryption Padding (OAEP) is a general class of methods for constructing digital envelopes from public-key encryption algorithms. OAEP methods have been proposed for the RSA algorithm. OAEP thwarts the Bleichenbacher attack on PKCS #1 digital envelopes.

Recent research by cryptographer Daniel Bleichenbacher of Bell Labs, the research and development arm of Lucent Technologies, indicates that the combination of PKCS #1 and SSL is potentially vulnerable to a class of attacks known as Adaptive Chosen Ciphertext Attacks. Such a potential attack relies on sending a million carefully constructed messages to a target server and observing the variations in the server’s response. The potential attack is detectable by network administrators because of the large number of needed messages. The threat is only against digital envelopes; it does not affect digital signatures.

OAEP is a pre-processing step that is applied to data before it is encrypted and after it is decrypted. OAEP prevents a wide range of attacks on the envelope format and ensures that the attacker must break the underlying cryptographic algorithm in order