10

Let's say I would like to communicate with my friend using asymmetric/public-key encryption, e.g. RSA.

(Note: I do realize that in practice this is done through an intermediate symmetric key, but this question assumes we only use asymmetric encryption.)

Say I try to do this: I slice up my data into 2n-byte blocks (padding with zeros [edit: padding appropriately] if necessary), append the block index to the block (to prevent the same plaintext from turning into the same ciphertext), then use my friend's public key to encrypt each block separately.

Is this a secure scheme, or does the fact that I'm re-using the key make it susceptible to some kind of attack? If so, is it used in practice in any existing algorithms? If not, is there any way to make it safe, aside from using a symmetric key?

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
user541686
  • 1,409
  • 1
  • 11
  • 24

3 Answers3

15

Well, reusing a key isn't a problem; after all, RSA keys are generally used many times.

However, if you fix the padding, there does exist one other potential problem; message malleability.

To example, suppose Alice sends two messages to Bob, $X_1, X_2$ and $Y_1, Y_2$. To send these, Alice actually sends:

$E(X_1), E(X_2)$

$E(Y_1), E(Y_2)$

Now, Eve can't modify each individual block (RSA with proper padding prevents that); what she can do is mix-and-match blocks, as so:

$E(X_1), E(Y_2)$

This would decrypt at $X_1, Y_2$, which might not be what Alice and Bob whats.

If you are silly enough to use RSA encryption in this manner, you do need something that binds the blocks together (or alternatively does some sort of integrity checking on the entire message).

As for whether people ever do this in practice, well, no they don't -- not because of security, but because it's so inefficient; using the RSA algorithm to communicate a symmetric key, and using that symmetric key to encrypt the message is far more efficient.

poncho
  • 154,064
  • 12
  • 239
  • 382
1

Just happened to read the question and decided to write short answer.

RSA is partially malleable (see http://en.wikipedia.org/wiki/Malleability_%28cryptography%29), it can be said that RSA provides efficient cryptography only if used very carefully. Therefore, RSA shall always be used via existing RSA padding schemes (see e.g. PKCS#1), because those have been carefully designed to be secure.

The scheme described here (zero padding) likely does not provide as good security with RSA as recommendable.

Anyway, the usage of intermediate symmetric key is actually not to remove reuse private key, its goal is instead: performance. Public key operations are generally very slow compared to symmetric cryptography.

MPN
  • 11
  • 2
0

If you came here like me because static code analysis flagged you with a security flaw for using ECB instead of CBC in code that looks like this:

Cipher c = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding","SunJCE");

You might have to explain to someone that it's just a Java syntax thing and that ECB or CBC don't really do anything because RSA isn't breaking the message into blocks.

Richard Brightwell
  • 101
  • 2