12

I'm currently using GPG RSA keys to encrypt binary files. Many people recommend using symmetric keys to encrypt large files, and then encrypt the symmetric key with a public key.

At what file size should I switch from RSA to something like AES? Is it arbitrary? Are there any security concerns with using GPG/RSA on massive files (gigabytes)? I'm aware that RSA is much slower/larger, I'm just wondering if there were any other issues.

It's much less hassle to encrypt directly using RSA even if it takes more time, than to generate new symmetrical AES keys, encrypt the file, encrypt the keys via RSA and then store the AES keys every time I'm encrypting my files, that's why I'm asking about why I should use it.

Adi
  • 43,808
  • 16
  • 135
  • 167
Kausheel
  • 133
  • 1
  • 1
  • 4
  • 1
    Possible duplicate of [What are the disadvantages of using public key cryptography when encrypting files?](http://security.stackexchange.com/questions/121893/what-are-the-disadvantages-of-using-public-key-cryptography-when-encrypting-file) – Mike Ounsworth Apr 30 '16 at 15:09

4 Answers4

8

This is not a question of size.

The raw asymmetric encryption algorithm known as RSA can do asymmetric encryption for a "message" in a rather limited space; namely, with a 2048-bit RSA key and PKCS#1 v1.5 RSA encryption, the algorithm can process a sequence of bytes up to 245 bytes at most.

But you never use the raw algorithm. You use a protocol, in this case OpenPGP, which defines the algorithms to use and where each byte goes. In OpenPGP, when the recipient has a public/private key pair and you want to encrypt your message "with the public key" (i.e. you want the message to be unreadable except by whoever knows the corresponding private key), then you invoke your OpenPGP-compatible software which will then follow the OpenPGP rules -- and these rules are that symmetric encryption is always used: the software generates a random symmetric key K, encrypts the message itself with a symmetric algorithm using K as key, then encrypts K (not the message) with the recipient's RSA public key. You don't have to choose, and you don't get to choose: this is the way OpenPGP works.

Designing your own secure protocol, and then implementing it securely, are two incredibly hard tasks ("incredibly" because people don't believe it at first) so the smart thing is not to do it yourself, but instead use an existing protocol (e.g. OpenPGP) and existing implementations of that protocol (e.g. GnuPG). In that sense, you should not ask yourself this question.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
7

Any file size really. Symmetric cryptography generally provides a much, MUCH higher level of security for a given key length. This is why we can use 128 bit symmetric algorithms but have to use 1024 or 2048 bit asymmetric algorithms. There are also a few attacks that make it easier to figure out certain asymmetric algorithms if you have a larger amount of structured data encrypted with them. Additionally, Symmetric algorithms are FAR faster to execute and asymmetric algorithms give you no added benefit when protecting files.

You only need asymmetric cryptography when you need to exchange information with a particular individual that you don't have a key exchanged with (and even then, you use symmetric and encrypt the key asymmetrically normally) or when you need to sign something (in which case you encrypt the hash value asymmetrically).

Asymmetric encryption should pretty much always be used on the absolute smallest possible amount of information for both security and efficiency reasons. This is, in fact, what many, if not most, established protocols that utilize asymmetric cryptography are based on.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Can you provide a source on symmetric cryptography being a higher level of security? I don't think that's correct at all. http://security.stackexchange.com/questions/7219/asymmetric-vs-symmetric-encryption – temporary_user_name Mar 14 '16 at 19:36
  • 1
    @Aerovistae - I would point to the selected answer on that post as a source. Part of the issue may be a misunderstanding of how I used the term, which may have been slightly overly simplified. I updated my answer to clarify that I meant "for a given bit length". You need larger keys when your keys are related to each other to maintain security where as a symmetric key doesn't give anything away about itself. – AJ Henderson Mar 14 '16 at 20:23
6

PGP, GPG, SSH, and most public key systems already use symmetric algorithms internally.

Internally, when you encrypt with a public key, the software/hardware first generates a symmetric key and encrypts your data with the symmetric algorithm. And then it encrypts that symmetric key with the public key (using an asymmetric algorithm) and stores the encrypted symmetric key within the ciphertext. On the other end, the recipient needs the secret key to decrypt the symmetric key stored with the cipher text and then use the symmetric key to decrypt the cipher text and retrieve the message. In all of these steps, the only elements that the users see are: public keys, plaintext, ciphertext, secret keys. The symmetric key and encryption is all internal and never exposed to the users. That way, you are getting the benefits of asymmetric algorithms (being able to encrypt to multiple people with public keys), but also the speed of symmetric algorithms.

This is also the reason why when you change your GPG/PGP keys' passwords, you can still decrypt the files encrypted with you public key earlier. The key is actually stored in the file and is the only part that is truly encrypted with pure public key goodness!

Kevin Li
  • 601
  • 4
  • 6
0

I'm currently using GPG RSA keys to encrypt binary files. Many people recommend using symmetric keys to encrypt large files, and then encrypt the symmetric key with a public key.

This is known as hybrid cryptosystem and is the way it is usually done, especially when the data sizes get bigger. Symmetric encryption by its very nature is always going to be faster than any asymmetric scheme.

Are there any security concerns with using GPG/RSA on massive files (GB's)? I'm aware that RSA is much slower/larger, I'm just wondering if there were any other issues.

Well, one issue might be the deterministic nature of RSA. If you encrypt the same plaintext using the same key multiple times, you might enable an attacker to perform known-plaintext attacks. You certainly can modify RSA in a non-deterministic way, but why bother and not just use a random symmetric key with each encryption.

Furthermore the hybrid approach makes it possible to send out the ciphertext to more than just one recipient with very little overhead. You only need to encrypt the symmetric key for each recipient, while the bulk of the data can stay the same for all of them.

It's much less hassle to encrypt directly using RSA even if it takes more time, than to generate new symmetrical keys and encrypt via RSA and then store them every time I'm encrypting my files, that's why I'm asking about why I should use it.

This is something that GPG takes care of automatically. How exactly do you invoke GPG? Why would you want to wait longer, if a hybrid approach has no real disadvantages?

Karol Babioch
  • 1,247
  • 8
  • 10