1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<tt>
<span class="gD">Legrandin thank you for your help.<br>When i have time i will put something on pastebin so it can serve as example for future members that require this type of solution :)<br><br>Regards<br>A/T<br></span><br><br>
<div class="gmail_quote">2012/4/11 Legrandin <span dir="ltr"><<a href="mailto:gooksankoo@hoiptorrow.mailexpire.com">gooksankoo@hoiptorrow.mailexpire.com</a>></span><br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<div class="im">> So after a small search i found out that if i increase the RSA Modulus i'm<br><br>
> able to encrypt larger number of bits ( makes sense ) but this feels dirty.<br><br>
><br><br>
> What do your guys recommend ?<br><br>
><br><br>
> Breaking the data in chunks and encrypting part by part joining it all in a<br><br>
> buffer and send it down the socket all in one with the other server<br><br>
> decrypting part by part and merging the data again ?<br><br>
><br><br>
> P.S - I dont mind fishing by myself just trying to understand the best "way<br><br>
> / more correct way " to do it :)<br><br>
<br><br>
</div>Hi Antonio,<br><br>
<br><br>
Increasing the RSA key length is not "dirty": it simply increases<br><br>
security (and incidentally useful payload size) at the expense of<br><br>
decryption speed.<br><br>
If decryption speed is not that important to you, and you have a clear<br><br>
idea on how long you data can be at most, go ahead and increase the<br><br>
key size. The time you gain by taking this approach can be spent on<br><br>
important tasks like making the private key secure, or adding some<br><br>
form of authentication to your protocol.<br><br>
<br><br>
The "proper" way to do encryption would be to create a random AES<br><br>
session key (16 bytes), encrypt it with RSA (hopefully at least 2048<br><br>
bit long), send it, pad the data, encrypt it with AES, send it.<br><br>
Additionally, you should also sign the data and send the signature<br><br>
along.<br><br>
<br><br>
At the receiving end, you decrypt the session key with RSA, decrypt<br><br>
the data with AES, unpad the data, and verify its signature.<br><br>
_______________________________________________<br><br>
pycrypto mailing list<br><br>
<a href="mailto:pycrypto@lists.dlitz.net">pycrypto@lists.dlitz.net</a><br><br>
<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto" target="_blank">http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto</a><br><br>
</blockquote></div><br><br>
</tt>
|