3

I have a Chrome extension that I am working on that will POST data to a remote server. I wish to encrypt the data before it gets sent. My server doesn't have HTTPS so I have to send it over plain HTTP.

I currently use RSA 4096-bit public key encryption in the extension in Javascript, and SHA1 hash the data and send the hash and encrypted data via an Ajax post request.

Is this acceptable encryption to be sent over HTTP?

dda
  • 6,030
  • 2
  • 25
  • 34
user1876122
  • 133
  • 1
  • 9
  • Just to be clear, you hash the data, and then encrypt the data + hash, correct? – Boundless Dec 31 '12 at 13:29
  • 1
    This question might be on-topic for Stack Overflow, but the general question (how strong should an RSA key be?) would definitely be on-topic for http://crypto.stackexchange.com/ – apsillers Dec 31 '12 at 13:41
  • See also the first answer on http://stackoverflow.com/questions/589834/what-rsa-key-length-should-i-use-for-my-ssl-certificates – apsillers Dec 31 '12 at 13:43
  • @Boundless I was just adding the sha1 hash to the start of the encrypted data, The reason I do that is so my server can validate that the encrypted data did not get corrupt in transit. Do you recommend hashing the unencrypted data and adding it in there before encryption? – user1876122 Dec 31 '12 at 13:46
  • @OliCharlesworth Basically I am asking is it safe/advisable to use RSA to encrypt text and send over http. – user1876122 Dec 31 '12 at 13:56
  • 1
    You should definitely encrypt the message and the hash, as @Boundless proposes. Otherwise the hash is pretty useless, since an attacker just needs to rehash the data he wants to send. – Manuel Leuenberger Dec 31 '12 at 14:12

2 Answers2

1

Well, what Wikipedia tells is:

...and that 2048-bit keys are sufficient until 2030...
An RSA key length of 3072 bits should be used if security is required beyond 2030

So I'd guess using 4k Bit encryption is kind of paranoid

Simbi
  • 992
  • 3
  • 13
  • 29
1

Client: Hash your message. Append the hash to your message. Encrypt your message + hash. Send your encrypted message + hash.
Server: Decrypt your message + hash. Split the message and the hash. Hash the message. Make sure that the hash on the server side is the same as the hash from the client side. If these don't match, then there was either some bits that switched on the wire, or someone has altered your message. And yes, RSA 4096-bit public key encryption is more than sufficient.

Boundless
  • 2,444
  • 2
  • 25
  • 40
  • 1
    Wait until he finds out that you cannot encrypt more than 4096 bits using RSA4096 directly. This is why I always avoid group-engineering these home-grown crypt schemes. It can't work unless you are an expert, and if you were an expert you wouldn't be asking for help here. – President James K. Polk Dec 31 '12 at 14:26