24

It's described very well by this diagram. It seems like the process used is convoluted and more round-about than it needs to be. Why is an intermediate random key generated for the payload's encryption and then transmitted with the message after its own encryption using the recipient's public key, instead of just using the recipient's public key directly on the message? Isn't it the same, as far as security properties go?

pgp diagram

Community
  • 1
wwaawaw
  • 521
  • 4
  • 9

3 Answers3

31

RSA is not used directly due to several reasons:

  • RSA encrypts only messages with a limited size. With a 1024-bit RSA key, RSA (as per PKCS#1) can process only 117 bytes of data. To encrypt more than that, one would have to do some chaining, i.e. split the data to encrypt into several 117-byte blocks and encrypt them separately. This is routinely done for symmetric encryption (this is called "modes of operation") but it is not that easy to do securely, and nobody quite knows how to do a secure mode of operation for RSA.

  • Hybrid encryption allows for efficient multi-recipient data. You symmetrically encrypt the data with a key K, then you encrypt K with the RSA key of each recipient. When you send a 3 MB file to 10 people, you would prefer to compute and send an encrypted email of size 3.01 MB, rather than ten 3 MB emails...

  • RSA enlarges your data. With a 1024-bit RSA key, you encrypt at most a 117-byte chunk, but you get 128 bytes on output, so that's a 10% enlargement. On the other hand, symmetric encryption incurs only constant size increase.

  • RSA encryption and decryption are fast, but not very fast. Doing a lot of RSA could prove problematic in high-bandwidth contexts (it would be fine for emails, with today's machines, not for a VPN).

The fourth reason is the most often quoted, but actually the least compelling of the four.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 1
    Oooh, I especially like the second point. Has anyone ever heard of PGP being used for multi-party mailing lists? – wwaawaw Sep 14 '12 at 00:10
  • I'd just like to double check -- a different __K__ must be used for each message, correct? Thinking it through on my own, I'm almost so sure of this that I don't even want to waste your time with the question, but I would just like to make sure I understand what's going on correctly. – wwaawaw Sep 14 '12 at 00:23
  • 1
    @adlwalrus: I send encrypted mail to multiple recipients all the time. Not specifically mailing lists though. – tdammers Sep 14 '12 at 10:42
  • @adlwalrus: yes, a new _K_ for each message, but for a given message, the _K_ is sent (RSA-encrypted) to each recipient of _that_ message. – Thomas Pornin Sep 14 '12 at 12:33
  • @tdammers could it conceivably work in a mailinglist-sort of way? – wwaawaw Sep 15 '12 at 02:27
4

It's hard to find a good reference, but RSA isn't very fast:

By comparison, DES (see Section 3.2) and other block ciphers are much faster than the RSA algorithm. DES is generally at least 100 times as fast in software and between 1,000 and 10,000 times as fast in hardware, depending on the implementation. Implementations of the RSA algorithm will probably narrow the gap a bit in coming years, due to high demand, but block ciphers will get faster as well.

So, encrypting a small symmetric key and then encrypting the data with that is much faster.

In case you're concerned that DES isn't a good example (since no sane person would use it these days), AES's speed is on the same order of magnitude.

Brendan Long
  • 2,878
  • 1
  • 19
  • 27
3

Its simply because RSA is A) Very slow B) Can only encrypt X amount of bits depending on the size of the key. The method here is generating an AES key which is much faster and can encrypt (AFAIK) unlimited amount of bits. Because AES is symmetrical there is no way a party can give it to another party without encryption. This is why asymmetrical encryption (RSA) is used and why PGP requires people to have your public key to send you a messages.

  • AES cannot encrypt any more unlimited number of bits than RSA, given the same assumption (block splitting). – user Mar 10 '15 at 13:14