1

If i'm using UTF-8 encoding, how many characters can i safely encrypt with different size RSA keys using PKCS1 padding?

EDIT: I understand that the answer would depend on which characters i'm encrypting, but as this is variable, i'm after a "worst case" safe limit for different key sizes (1024 2048 4096). Just something to go on.

NotSoSmart
  • 89
  • 12

1 Answers1

2

To quote from RFC 3447, §7.1:

RSAES-OAEP can operate on messages of length up to k - 2hLen - 2 octets, where hLen is the length of the output from the underlying hash function and k is the length in octets of the recipient's RSA modulus.

This is defined in terms of octets; exactly how many characters that'll equate to will depend on the characters you encode. One code point can occupy more than one octet, and one character (as most people think of it, anyway) can require more than one code point.

Community
  • 1
  • 1
Jerry Coffin
  • 476,176
  • 80
  • 629
  • 1,111
  • I understand what you're saying, but the characters i'm encoding are variable. Could you give me a safe limit? – NotSoSmart Jan 20 '14 at 18:04
  • @NotSoSmart: Nearly the only reasonable approach is to work in terms of octets, not "characters" (especially since the latter is a fairly poorly defined term in any case). – Jerry Coffin Jan 20 '14 at 18:54
  • So, what would be the answer in octets then? – NotSoSmart Jan 20 '14 at 19:14
  • @NotSoSmart: `k - 2hLen-2`, as the answer says. – Jerry Coffin Jan 20 '14 at 19:15
  • I have no idea what that means. But i've read somewhere else that 117bytes is the limit for a 1024bit key: http://stackoverflow.com/questions/11505547/how-calculate-size-of-rsa-cipher-text-using-key-size-clear-text-length – NotSoSmart Jan 20 '14 at 19:26
  • All of the UTF-8 characters i'm using seem to be 1byte, so i'm guessing 117 characters or less is ok for a 1024 bit key. Would a 2048 bit key allow for 234 bytes? – NotSoSmart Jan 20 '14 at 19:29
  • @NotSoSmart: It really comes down to a question of the size of the underlying hash--but your question sounds like you may be talking about just encrypting data, not anything involving a hash function at all. In that case, you should probably be using something like PKCS#7 instead. – Jerry Coffin Jan 20 '14 at 19:45
  • I'm using phpseclib, i'm not sure PKCS#7 is an option – NotSoSmart Jan 20 '14 at 19:51
  • @NotSoSmart: If you're stuck with PKCS #1, then yes, it looks like a 2048-bit key should be good for up to 245 octets of plaintext. – Jerry Coffin Jan 20 '14 at 20:05
  • OK, so a 4096bit key would allow for 501 bytes? – NotSoSmart Jan 20 '14 at 20:15