1

I am trying to understand an encryption process on a website (Instagram). As far as I know, a public key is sent from the server to the client. Then the password is encrypted with AES_GCM_256 and packed together with the AES key in an array and then in a sealed box with the public key from the Server.

Is a sealed box the same as simply encrypting the array with RSA?

Why do you do that?

I mean, if you find out the RSA private key and then decrypt the data encrypted with RSA, wouldn't you also have the AES key to decrypt the password?

And the public key is very short:

297e5cd13e20f701d57bd5a1ee82bcead9a20e4080bc6c737917b868eb65f505

Only 64 characters so 512 bits.

Is that even safe enough for RSA? Or is the key Curve25519?

As far as I know, should an RSA key be at least 2048 bit large?

I would appreciate a link or the answer to a few questions :)

Best regards

CleanMyFloor
  • 11
  • 1
  • *" As far as I know ..."* - what is this knowledge based on? On hand you describe very specific things and terms which suggest that this is based on some documentation. On the other hand you ask questions which I would expect would be answered by the same documentation. Can you please add the source on what this whole question is based on? – Steffen Ullrich Jan 15 '21 at 07:37
  • The key is encoded in hexadecimal, which means each character represents 4 bits. So the key is actually 256 bits long, and that is the size of Curve25519 keys and some other ECDH curves as well. – nobody Jan 15 '21 at 07:39
  • The information comes from various sources and not from a singel documentation. But that's all a little bit from here and from there: / So I don't know how right these are. – CleanMyFloor Jan 15 '21 at 09:03
  • Curve25519 why do they use Curve and not RSA? – CleanMyFloor Jan 15 '21 at 09:04
  • 1
    @CleanMyFloor: *" information comes from various sources and not from a singel documentation"* - It would at least be helpful if you've linked to the various information sources instead of claiming that it works like you described. *"Curve25519 why do they use Curve and not RSA?"* - you essentially ask why they use a modern algorithm which needs only a short key size instead of an old algorithm which needs a long key size. – Steffen Ullrich Jan 15 '21 at 09:15
  • RSA is slow compared to Curve25519, compare the security level https://www.keylength.com/ and see the required key size. RSA has only usage, for a while, the signatures. – kelalaka Jan 15 '21 at 09:26
  • @CleanMyFloor Why *would* they use RSA instead of Curve25519? –  Jan 15 '21 at 10:05

0 Answers0