0

I know this may be marked duplicate. It is based off of this question and this answer. However, I feel like I'm missing something...

My example:

Bob wants to encrypt a message and send it to Alice using Alice's public key. However, Bob also wants to sign the message using his private key before encrypting the (message + signature).

For sake of argument lets assume Alice and Bob are using RSA2048. According to PKCS #1 v2.2, both, RSASSA-PSS and RSASSA-PKCS15 signature schemes produce an output the size of the key's modulus (in this case 256 bytes). However, both OAEP and PKCS15 encryption schemes require the message size to be less than the modulus size (less than 256 bytes).

How can one sign and then encrypt a message according to this spec? Would the plaintext just be broken into two chunks? Hybrid encryption seems like overkill if the message is small. Even a single ASCII character would be too large to sign then encrypt this way...

Community
  • 1
skidelo
  • 3
  • 1
  • I'm not sure there is a standard answer here. Imho you have a very specific scenario here because usually hybrid encryption is the way to go. – Elias Apr 26 '17 at 08:14
  • I don't understand why you are strongly against breaking your input to a number of blocks. (In symmetric encryption, employing a small block size is even the rule.) For doing encryption and signature together with RSA, you could take a trial of my software at mok-kong-shen.de ) – Mok-Kong Shen May 02 '17 at 15:23

1 Answers1

0

You will always need at least to blocks (=512 bytes in your case) if you want to encrypt and sign some data. Any RSA signature block, be it armored with PKCS#1 v1.5 or PSS (or even textbook RSA) will have the size of the modulus (256 byte), since it is the output of a RSA operation. So if you want to add some plain text data to that, you will automatically need to start a new block.

All said is under the assumption of using two keys of equal size (2048 bit), as you suggested. You could get away with one block if your signature key has a smaller bitsize (e.g. 2048) then the encryption key (e.g. 4096).

mat
  • 2,508
  • 12
  • 28
  • It doesn't look like any of the common crypto libraries support some sort of 'RSA-CBC' mode. I'll either break up the chunks manually or use hybrid encryption. – skidelo Apr 27 '17 at 15:35
  • Use hybrid encryption. It is usually safer to stick to well used and tested scheme than to roll up your own. There is a reason, why there is no RSA-CBC. – mat Apr 28 '17 at 08:28