RSA Encryption Schemes

From Crypto++ Wiki
Jump to navigation Jump to search
RSA Encryption Schemes
Documentation
#include <cryptopp/rsa.h>

This articles shows you how to perform encryption using RSA.

For the main RSA page, visit RSA Cryptography. For signature schemes, visit RSA Signature Schemes. Raw RSA provides information about low level RSA operations. For a detailed treatment of key generation, loading, saving, validation, and formats, see Keys and Formats.

Plaintext Length

The maximum length of a plaintext string that can be encrypted with RSA can be determined by FixedMaxPlaintextLength. On error, FixedMaxPlaintextLength returns 0. The value returned by FixedMaxPlaintextLength is directly related to the modulus size n and the padding scheme.

Ciphertext Length

The length of the resulting ciphertext can be determined by FixedCiphertextLength. On error, FixedCiphertextLength returns 0. The value returned by FixedCiphertextLength is directly related to the modulus size n.

Buffer Sizes

When encrypting and decrypting using Crypto++, the plaintext and ciphertext buffers can be the same. This effectively means in-place encryption and decryption can be performed. However, always make sure the buffer is large enough to hold the encrypted data (which will be larger than the plaintext). If the buffers are not the same, the buffers must not overlap. Finally, both CiphertextLength and MaxPlaintextLength return 0 on error.

// Encrypt
size_t cipherTextSize = publicKey.CiphertextLength( plainTextSize );
assert( 0 != cipherTextSize );
assert( plainTextSize >= cipherTextSize );

publicKey.Encrypt(prng, (byte*)plainText, plainTextSize, (byte*)cipherText);

...

// Decrypt
size_t plainTextSize = privateKey.MaxPlaintextLength( cipherTextSize );
assert( 0 != plainTextSize );
assert( cipherTextSize >= plainTextSize );

DecodingResult result = privateKey.Decrypt(rnd, (byte*)cipherText, cipherTextSize, (byte*)plainText);
assert( plainTextSize == result.messageLength );

OAEP and SHA-256

The typedefs RSAES_OAEP_SHA_Encryptor and RSAES_OAEP_SHA_Decryptor use SHA-1 by default:

$ grep RSAES_OAEP_SHA_Encryptor *.h
rsa.h:DOCUMENTED_TYPEDEF(RSAES<OAEP<SHA1> >::Encryptor, RSAES_OAEP_SHA_Encryptor);

$ grep RSAES_OAEP_SHA_Decryptor *.h
rsa.h:DOCUMENTED_TYPEDEF(RSAES<OAEP<SHA1> >::Decryptor, RSAES_OAEP_SHA_Decryptor);

If needed you can change the hash using OAEP template parameter:

RSAES<OAEP<SHA256> >::Encryptor

and

RSAES<OAEP<SHA256> >::Decryptor

Crypto++ 8.7 added typedefs for RSAES_OAEP_SHA256_Encryptor and RSAES_OAEP_SHA256_Decryptor. Also see Commit 3b8c9303b462.

Also see How to encrypt/decrypt data using RSA OAEP SHA-256 in Crypto++ on Stack Overflow.

Sample Programs

RSA Encryption Scheme (OAEP and SHA)

The following code demonstrates RSA encryption using OAEP. SHA is used to generate the padding bits and mask the input (see OAEP_Base::Pad).

////////////////////////////////////////////////
// Generate keys
AutoSeededRandomPool rng;

InvertibleRSAFunction parameters;
parameters.GenerateRandomWithKeySize( rng, 1536 );

RSA::PrivateKey privateKey( parameters );
RSA::PublicKey publicKey( parameters );

////////////////////////////////////////////////
// Secret to protect
static const int SECRET_SIZE = 16;
SecByteBlock plaintext( SECRET_SIZE );
memset( plaintext, 'A', SECRET_SIZE );

////////////////////////////////////////////////
// Encrypt
RSAES_OAEP_SHA_Encryptor encryptor( publicKey );

// Now that there is a concrete object, we can validate
assert( 0 != encryptor.FixedMaxPlaintextLength() );
assert( plaintext.size() <= encryptor.FixedMaxPlaintextLength() );

// Create cipher text space
size_t ecl = encryptor.CiphertextLength( plaintext.size() );
assert( 0 != ecl );
SecByteBlock ciphertext( ecl );

encryptor.Encrypt( rng, plaintext, plaintext.size(), ciphertext );

////////////////////////////////////////////////
// Decrypt
RSAES_OAEP_SHA_Decryptor decryptor( privateKey );

// Now that there is a concrete object, we can check sizes
assert( 0 != decryptor.FixedCiphertextLength() );
assert( ciphertext.size() <= decryptor.FixedCiphertextLength() );

// Create recovered text space
size_t dpl = decryptor.MaxPlaintextLength( ciphertext.size() );
assert( 0 != dpl );
SecByteBlock recovered( dpl );

DecodingResult result = decryptor.Decrypt( rng,
    ciphertext, ciphertext.size(), recovered );

// More sanity checks
assert( result.isValidCoding );        
assert( result.messageLength <= decryptor.MaxPlaintextLength( ciphertext.size() ) );

// At this point, we can set the size of the recovered
//  data. Until decryption occurs (successfully), we
//  only know its maximum size
recovered.resize( result.messageLength );

// SecByteBlock is overloaded for proper results below
assert( plaintext == recovered );

cout << "Recovered plain text" << endl;

RSA Encryption Scheme (OAEP and SHA) using Filters

Using Crypto++ pipelining, the previous program can be reduced to the following.

////////////////////////////////////////////////
// Generate keys
AutoSeededRandomPool rng;

InvertibleRSAFunction params;
params.GenerateRandomWithKeySize( rng, 1536 );

RSA::PrivateKey privateKey( params );
RSA::PublicKey publicKey( params );

string plain="RSA Encryption", cipher, recovered;

////////////////////////////////////////////////
// Encryption
RSAES_OAEP_SHA_Encryptor e( publicKey );

StringSource ss1( plain, true,
    new PK_EncryptorFilter( rng, e,
        new StringSink( cipher )
    ) // PK_EncryptorFilter
 ); // StringSource

////////////////////////////////////////////////
// Decryption
RSAES_OAEP_SHA_Decryptor d( privateKey );

StringSource ss2( cipher, true,
    new PK_DecryptorFilter( rng, d,
        new StringSink( recovered )
    ) // PK_DecryptorFilter
 ); // StringSource

assert( plain == recovered );

Downloads

RSA-ES-OAEP-SHA-Test.zip - Demonstrates RSA-ES (OAEP/SHA)

RSA-ES-OAEP-SHA-Filter-Test.zip - Demonstrates RSA-ES (OAEP/SHA) using Filters