Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt 320 bytes with 2048-bit key throws "Message is too long for PKCS#1 v1.5 padding." #108

Open
moshest opened this issue Mar 17, 2014 · 3 comments
Open

Encrypt 320 bytes with 2048-bit key throws "Message is too long for PKCS#1 v1.5 padding." #108

moshest opened this issue Mar 17, 2014 · 3 comments

Comments

@moshest
Copy link

moshest commented Mar 17, 2014

My code is as follow:

var pair = forge.pki.rsa.generateKeyPair(2048);
pair.publicKey.encrypt('<<<--- 320 bytes string --->>>');

The error: Message is too long for PKCS#1 v1.5 padding.
(rsa.js, line: 1382)

Am I doing something wrong?
Why the limit is so much tied?
@dlongley
Copy link
Member

Am I doing something wrong?
Why the limit is so much tied?

Yes, due to the mathematics (and padding) behind RSA encryption, you can only encrypt very small values.

In order to use RSA encryption with larger values, typically you generate a symmetric key for use with another algorithm, such as AES. Then you encrypt the data using the AES symmetric key (there is no limitation on size using a symmetric encryption algorithm) and then you RSA-encrypt just the symmetric key and transmit that. AES keys are 16-32 bytes in size so they can easily fit within the RSA-encryption limitations.

Then the recipient decrypts the symmetric key using their private RSA key and then they decrypt the encrypted data using the decrypted symmetric key.

RSA encryption is also much slower than AES encryption, so this yields better performance anyway.
@fxa
Copy link
Contributor

fxa commented Mar 17, 2014

To be more preciese, rfc 2321 https://www.ietf.org/rfc/rfc2313.txt
enforces, that "The length of the data D shall not be more than k-11 octets",
where k is the length of the modulus in (I don't know, why they say octets,
when they mean bytes).
So for a 2048 bit key the maximum length is 256 – 11 = 245 bytes.

That is the reason, why pkcs#7 was invented.
This is a container with

  • the encrypted document
  • the (e.g. aes-) initialization vector
  • recipient infos including the encrypted (aes-) document key per recipient

Von: Dave Longley [mailto:notifications@github.com]
Gesendet: Montag, 17. März 2014 05:49
An: digitalbazaar/forge
Betreff: Re: [forge] Encrypt 320 bytes with 2048-bit key throws "Message is too long for PKCS#1 v1.5 padding." (#108)

Am I doing something wrong?
Why the limit is so much tied?
Yes, due to the mathematics (and padding) behind RSA encryption, you can only encrypt very small values.
In order to use RSA encryption, typically you generate a symmetric key for use with another algorithm, such as AES. Then you encrypt the data using the AES key (there is no limitation on size using a symmetric encryption algorithm) and then you RSA-encrypt just the key and transmit that. AES keys are 16-32 bytes in size so they can easily fit within the RSA-encryption limitations.
Then the recipient decrypts the symmetric key using their private RSA key and then they decrypt the encrypted data using the decrypted symmetric key.

Reply to this email directly or view it on GitHub.
@moshest
Copy link
Author

moshest commented Mar 17, 2014

Thank you.
I didn't know that.

We should add a note about it on the docs. It's could be helpful.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
3 participants
@dlongley @moshest @fxa