5

Someone mentioned here that asymmetric encryption might not be appropriate for bulk data and gave an example of RSA with 100 bytes. Of course, I understand that it was a rough example. But it made me curious - how much size of data can various public-key crypto handle in general and how much can a JavaScript library like OpenPGP.js handle in particular. In the latter case, does the browser environment add more limitations?

Added:
Is there any reputed online resource that has a discussion / comparison of the various Public-key cryptos with regards to the limits on size of data?

Community
  • 1
Sam
  • 153
  • 1
  • 5

2 Answers2

10

In order to answer your question, your misconceptions must be corrected first. In most cases, padding in RSA adds 11 bytes to the message. So, using a 1024-bit key, you'll have 117 bytes available for the message. That's why RSA isn't usually used to encrypt messages, it's mostly used to encrypt symmetric keys used to encrypt messages. This is called a hybrid cryptosystem.

For example, in PGP, a symmetric key (sK) is created, the message is encrypted with sK, then sK is encrypted with the public key, and both (the encrypted message and the encrypted sK) are sent to the recipient. The recipient will use his private key to decrypt sK and use that to decrypt the message.

Technically speaking, there's no limit on the size of the message PGP (and, consequently, OpenPGP.js) can handle. Limitations might come from the amount of available memory, the amount of memory utilizable by the browser, etc.

Community
  • 1
Adi
  • 43,808
  • 16
  • 135
  • 167
  • 1
    Padding only uses 11 bytes with the often insecure PKCS#1v1.5 padding. With OAEP it's significantly more, 42 with SHA-1 and even more with larger hashes. – CodesInChaos Oct 31 '13 at 09:43
  • Thanks for pointing out something very obvious that I missed - openpgpjs uses a hybrid encryption scheme. – Sam Oct 31 '13 at 22:24
  • 1
    Why'd no one mention ECC? – Awn Apr 20 '17 at 15:25
  • 1
    @Eclipse Because I didn't know much about it, so I didn't feel like talking out of my bottom half. You're more welcome to either edit or post an answer of your own. – Adi Apr 20 '17 at 18:53
4

Each algorithm has its own limitations. As quoted by @Adnan, RSA (with PKCS#1 v1.5 padding) tops at 11 bytes less than the RSA modulus size. Other algorithms may have different properties.

In particular, with Diffie-Hellman, you don't encrypt at all, but you can still use it for asymmetric encryption. One way to consider DH is that it is an asymmetric encryption algorithm, where you do not get to choose what you encrypt: when you run the algorithm, the party who encrypts learns, at the end, what he actually "encrypted". Yet this is enough for hybrid encryption: a shared secret is nice for use as a key for symmetric encryption. This process has been formalized under a name of its own: IES (with an elliptic-curve variant called ECIES).

Note that you encrypt because you want to keep data confidentiality, and most attack models where confidentiality is important are also attack models where integrity is important (passive-only attackers are rare). Encryption, alone, does not do the full thing, so a combination of algorithms is normally needed anyway.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475