|
If any one wants to know how it works with a sample code, try this page.
The source is in Javascript (obviously! :-D ) and can be viewed by inspecting the page.
I'm pretty sure the same implementation can be converted to any language that supports any cryptographic library as they are published standards.
But, there are some caveats to consider (this is based on my experience.)
Using a RSA private key for encryption has it's limitations. For example the message cannot be longer than a certain number of characters based on the bit size.
That is, if the RSA key is 1024 bits which is 128 bytes (assuming 8 bits per byte), then the message that could encrypted cannot exceed 86 bytes. That is because of the OEAP padding. It is like 1024 / 8 = 128 - 42 = 86 Bytes.
Similarly, for a 2048 bits key, it will be 2048 /8 = 256 - 42 - 214 bytes. This could be used for encrypting session keys upto so many bytes. If it needs to be used for encrypting anything other than session keys, then the plain text cannot exceed the above mentioned number of bytes.
So, the proper method would be to create a session key using some data and feeding it to a PBKDF2 kind of functions, get the output, use it for encryption, then encrypt the key using the public or private key and send it along with the cipher text if the target plain text is more than the above limits. If it is not, then it could be used to encrypt the plain text directly. But it will lead to other issues. If there are multiple samples of such encrypted texts using the same RSA key, it could be used to deduce the keys without much of an effort if the encrypted text could be decrypted.
Means, if there are enough samples of different (smaller) plain texts encrypted using the same private key and if the public key is available with the attacker, he could correlate the encrypted text and the plain text and can create the private key himself. But that's reserved for another post and time.
Thanks for reading this and please excuse any typos.
|