I am trying to understand an encryption process on a website (Instagram). As far as I know, a public key is sent from the server to the client. Then the password is encrypted with AES_GCM_256 and packed together with the AES key in an array and then in a sealed box with the public key from the Server.
Is a sealed box the same as simply encrypting the array with RSA?
Why do you do that?
I mean, if you find out the RSA private key and then decrypt the data encrypted with RSA, wouldn't you also have the AES key to decrypt the password?
And the public key is very short:
297e5cd13e20f701d57bd5a1ee82bcead9a20e4080bc6c737917b868eb65f505
Only 64 characters so 512 bits.
Is that even safe enough for RSA? Or is the key Curve25519?
As far as I know, should an RSA key be at least 2048 bit large?
I would appreciate a link or the answer to a few questions :)
Best regards