读好书,交益友
分类: 网络与安全
2014-05-16 14:41:43
For a n-bit RSA key, direct encryption (with PKCS#1 "old-style" padding) works for arbitrary binary messages up to floor(n/8)-11 bytes. In other words, for a 1024-bit RSA key (128 bytes), up to 117 bytes. With OAEP (the PKCS#1 "new-style" padding), this is a bit less: OAEP use a hash function with output length h bits; this implies a size limit of floor(n/8)-2*ceil(h/8)-2: still for a 1024-bit RSA key, with SHA-256 as hash function (h = 256), this means binary messages up to 60 bytes.
There is no problem in encrypting a RSA key with another RSA key (there is no problem in encryptingany sequence of bytes with RSA, whatever those bytes represent), but, of course, the "outer" RSA key will have to be bigger: with old-style padding, to encrypt a 256-byte message, you will need a RSA key with a modulus of at least 2136 bits.
Hybrid modes (you encrypt a random symmetric key with RSA, and then use that key for symmetric encryption) are nonetheless recommended as a general case, if only because they do not have any practical size limits, and also because they make it easier to replace the RSA part with another key exchange algorithm (e.g. Diffie-Hellman).
