diff options
Diffstat (limited to 'pipermail/pycrypto/attachments/20120420/0447be4b/attachment-0001.html')
-rw-r--r-- | pipermail/pycrypto/attachments/20120420/0447be4b/attachment-0001.html | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/pipermail/pycrypto/attachments/20120420/0447be4b/attachment-0001.html b/pipermail/pycrypto/attachments/20120420/0447be4b/attachment-0001.html new file mode 100644 index 0000000..51e2ca3 --- /dev/null +++ b/pipermail/pycrypto/attachments/20120420/0447be4b/attachment-0001.html @@ -0,0 +1,50 @@ +<tt> +Hello Legrandin & Others.<br><br>I'm currently trying to implement the following :<br><br>The "proper" way to do encryption would be to create a random AES<br><br> +session key (16 bytes), encrypt it with RSA (hopefully at least 2048<br><br> +bit long), send it, pad the data, encrypt it with AES, send it.<br><br>Ok So .. <br> - Create A Random AES 16 Bytes ( I'm assuming this will be the "secret")<br>- Pad The Payload <br>- Encrypt Using AES<br><br> +- Encrypt The Secret + Payload With the RSA Key<br>- Make A Signature Of The Entire "Encrypted Payload"<br>- Append it to the "Encrypted Payload"<br>Send it ....<br><br>Recv it ..<br>Make the reverse process.<br><br> + <br>One thing i can't use the Normal SSL/TLS type of "session key" since there is no state across requests or during the handshake.<br>Meaning "one worker can receive the request but another one can answer it and there is no shared memory between the two."<br><br> +<br><div class="gmail_quote">2012/4/12 Antonio Teixeira <span dir="ltr"><<a href="mailto:eagle.antonio@gmail.com">eagle.antonio@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br> +<span>Legrandin thank you for your help.<br>When i have time i will put something on pastebin so it can serve as example for future members that require this type of solution :)<br><br>Regards<span class="HOEnZb"><font color="#888888"><br><br> +A/T<br></font></span></span><div class="HOEnZb"><div class="h5"><br><br> +<div class="gmail_quote">2012/4/11 Legrandin <span dir="ltr"><<a href="mailto:gooksankoo@hoiptorrow.mailexpire.com" target="_blank">gooksankoo@hoiptorrow.mailexpire.com</a>></span><br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br> +<br> +<div>> So after a small search i found out that if i increase the RSA Modulus i'm<br><br> +> able to encrypt larger number of bits ( makes sense ) but this feels dirty.<br><br> +><br><br> +> What do your guys recommend ?<br><br> +><br><br> +> Breaking the data in chunks and encrypting part by part joining it all in a<br><br> +> buffer and send it down the socket all in one with the other server<br><br> +> decrypting part by part and merging the data again ?<br><br> +><br><br> +> P.S - I dont mind fishing by myself just trying to understand the best "way<br><br> +> / more correct way " to do it :)<br><br> +<br><br> +</div>Hi Antonio,<br><br> +<br><br> +Increasing the RSA key length is not "dirty": it simply increases<br><br> +security (and incidentally useful payload size) at the expense of<br><br> +decryption speed.<br><br> +If decryption speed is not that important to you, and you have a clear<br><br> +idea on how long you data can be at most, go ahead and increase the<br><br> +key size. The time you gain by taking this approach can be spent on<br><br> +important tasks like making the private key secure, or adding some<br><br> +form of authentication to your protocol.<br><br> +<br><br> +The "proper" way to do encryption would be to create a random AES<br><br> +session key (16 bytes), encrypt it with RSA (hopefully at least 2048<br><br> +bit long), send it, pad the data, encrypt it with AES, send it.<br><br> +Additionally, you should also sign the data and send the signature<br><br> +along.<br><br> +<br><br> +At the receiving end, you decrypt the session key with RSA, decrypt<br><br> +the data with AES, unpad the data, and verify its signature.<br><br> +_______________________________________________<br><br> +pycrypto mailing list<br><br> +<a href="mailto:pycrypto@lists.dlitz.net" target="_blank">pycrypto@lists.dlitz.net</a><br><br> +<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto" target="_blank">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</a><br><br> +</blockquote></div><br><br> +</div></div></blockquote></div><br><br> + +</tt> |