25

is it true that RSA encryption only can handle limited payload of data ? ... im confused with the theory ... theoretically there is no note regarding this ...

Sudantha
  • 15,684
  • 43
  • 105
  • 161

2 Answers2

90

RSA encrypts a single message which has a length which is somewhat smaller than the modulus. Specifically, the message is first "padded", resulting in a sequence of bytes which is then interpreted as a big integer between 0 and n-1, where n is the modulus (a part of the public key) -- so the padded message cannot be longer than the modulus, which implies a strict maximum length on the raw message.

Specifically, with the most common padding scheme (PKCS#1 "old-style", aka "v1.5"), the padding adds at least 11 bytes to the message, and the total padded message length must be equal to the modulus length, e.g. 128 bytes for a 1024-bit RSA key. Thus, the maximum message length is 117 bytes. Note that the resulting encrypted message length has the same size than the modulus, so the encryption necessarily expands the message size by at least 11 bytes.

The normal way of using RSA for encrypted a big message (say, an e-mail) is to use an hybrid scheme:

  • A random symmetric key K is chosen (a raw sequence of, e.g., 128 to 256 random bits).
  • The big message is symmetrically encrypted with K, using a proper and efficient symmetric encryption scheme such as AES.
  • K is asymmetrically encrypted with RSA.

"Splitting" a big message into so many 117-byte blocks, each to be encrypted with RSA, is not normally done, for a variety of reasons: it is difficult to do it right without adding extra weaknesses; each block would be expanded by 11 bytes, implying a non-negligible total message size increase (network bandwidth can be a scarce resource); symmetric encryption is much faster.

Thomas Pornin
  • 72,986
  • 14
  • 147
  • 189
  • 4
    To extend this a bit. Nowadays, OAEP (PKCS#1 v2.1) should be used for padding messages before RSA encryption. The padding uses a hash function internally (MGF) twice and some other information. Let's say `hlen` is the output size of the hash function, then the overhead is `2*hlen + 2`. SHA-1 is the most commonly used hash function for this. It means that a **1024-bit RSA key** can only encrypt up to **86 byte** for SHA-1 and **62 byte** for SHA-256. – Artjom B. Apr 24 '16 at 18:27
  • I assume "RSA encrypts a single message which has a length which is somewhat smaller than the modulus. " is because RSA algorithms relies on modulo results, so if the rule is broken then two different messages may result in a similar ciphertext, is that right? – Yerken Jul 19 '17 at 00:33
  • 1
    @ArtjomB. since you were able to verify my RSA Max data bytes formula, I will post it here for everyone. `((1024/8)-2)-2*(256/8) = 62 bytes` --- `((2048/8)-2)-2*(256/8) = 190 bytes` --- `((4096/8)-2)-2*(256/8) = 446 bytes` – suchislife Apr 10 '22 at 00:43
16

In the basic RSA algorithm (without padding) which is not very secure the size of the message is limited to be smaller than the modulus.

To enhance the security of RSA you should use padding schemes as defined in PKCS1. Depending on the scheme you choose the size of the message can be significantly smaller than the modulus. http://en.wikipedia.org/wiki/PKCS1

Alfe
  • 56,346
  • 20
  • 107
  • 159
mrks
  • 1,421
  • 2
  • 12
  • 20