Key Exchange using RSA public key without a certificate

Question

I want to share AES key using RSA. What is the recommended/widely used format for encrypting the AES key and its attributes with the public key? I know that PKCS#7/CMS enveloped-data allows encrypting any key with its attributes using a certificate. But how can I achieve the same thing without a certificate and only using a public key?

Answer 1

Generally you'd just use RSA with OAEP padding if you want to encrypt a key. Your question however talks about exchange a key. That could also be performed using RSA-KEM.

Note that RSA was often used with TLS to provide key exchange using the RSA_ cipher suites. That RSA key was part of a trusted certificate, so it also performed entity authentication. Nowadays we like forward secrecy where the ephemeral key pair is only used once. The disadvantage of RSA for forward secrecy is that the key pair generation can take very long - it depends on how quick the primes are found.

Beware that you need some way to trust the public key or the key exchange and resulting secret. If that trust is not there then you might be encrypting with one provided by an adversary, and confidentiality of the AES key may be lost in a man-in-the-middle attack or a similar attack.

Generally you'd not use CMS / PKCS#7. That is usually used with certificates and it adds a lot of overhead which is usually unnecessary if you just want to encrypt a key value.

Answer 2

You can use OpenSSL rsautil to encrypt the AES key with RSA key. You need to change the RSA key into valid format which OpensSSL can accept. (OpenSSL also supports raw encryption without padding. Use only if you know what you are doing)

To encrypt: openssl rsautl -encrypt -inkey pubkey.pem -pubin -in aes.key -out AES.enc.key

To decrypt: openssl rsautl -decrypt -inkey key.pem -in aes.enc.key -out aes.key

You can also check SSH (RFC 4253) working which I think might me helpful.