I know that asymmetric cipher shouldn't be used for encryption large files because it is slow. It is better to use symmetric cipher. But, what worse, I've read that it is unsecure to encrypt a large file with a public key. But, why?
Asked
Active
Viewed 1.2k times
1 Answers
7
Safe encryption of large files with RSA is possible. One can split the file into suitably small blocks, and encipher these individually with a safe RSA-based encryption scheme. The receiver deciphers the ciphertext blocks, and concatenates the deciphered plaintext blocks. This demonstrably is safe (in the sense that it protects the confidentiality of the large file), if the RSA-based encryption scheme is (this requires random padding, and excludes textbook RSA encryption, which allows to verify a plaintext guess).
This is however rarely done in practice because:
- RSA is slow/compute intensive compared to symmetric encryption, especially for decryption; and that slowness applies to the decryption of each of the many blocks, and becomes a computational bootleneck. We are talking like 4 decimal orders of magnitude or more compared to symmetric encryption. Making the modulus larger reduces the number of blocks but worsens the problem, because RSA's execution time grows much faster than linearly with the modulus size (even much faster than quadratically, for decryption).
- Safe RSA-based encryption schemes expand the size of the ciphertext. For example RSA-OAEP with SHA-256, when using 2048-bit RSA, uses 2048-bit ciphertext blocks (256 bytes) which convey at most $2048-2\cdot256-16=1520$ bits (190 bytes), loosing over 25% of the bandwidth. This can only be improved to some degree (for $n$-bit security, there must be at least $n$ bits lost per block).
- RSA with long-term keys does not offer forward secrecy.
Hybrid encryption solves 1 and 2. Negotiating a session key with an appropriate protocol can solve 3.
fgrieu
- 149,326
- 13
- 324
- 622