Rsa Encryption, Getting Bad Length

RSA Encryption, getting bad length

RSA encryption is only mean for small amounts of data, the amount of data you can encrypt is dependent on the size of the key you are using, for example for 1024 bit RSA keys, and PKCS # 1 V1.5 padding, you can encrypt 117 bytes at most, with a 2048 RSA key, you can encrypt 245 bytes.

There's a good reason for this, asymmetric encryption is computationally expensive. If you want to encrypt large amounts of data you should be using symmetric encryption. But what if you want non-repudiation? Well what you then do is use both. You create a symmetric key and exchange it using asymmetric encryption, then that safely exchanged symmetric key to encrypt your large amounts of data. This is what SSL and WS-Secure use underneath the covers.

Bad Length Error in Rsa encryption decryption

RSA can only be used to encrypt messages whose length is less than the modulus. How much smaller depends on the padding, e.g. 11 bytes in case of PKCS#1 v1.5, s. here. In the case of OAEP, the number of bytes claimed by padding depends on the digest used, s. here. The details are described in RFC8017, RSAES-PKCS1-v1_5 and RSAES-OAEP.
For completeness: RSA without padding (textbook RSA) allows the encryption of messages up to exactly the length of the modulus. In practice, however, padding must always be used for security reasons, so textbook RSA is not a real option.

The posted code uses an RSA key of 1024 bits and PKCS#1 v1.5 padding. The maximum size of the message to be encrypted is therefore 117 bytes. Larger messages throw a CryptographicException (Bad Length). That is the reason for your issue.

A 8192 bits (1024 bytes) key would theoretically allow messages up to 1013 bytes in length to be encrypted with PKCS#1 v1.5 Padding. However, the performance decreases strongly with increasing key size, s. here.

Symmetric encryption is more performant than asymmetric encryption. Therefore, in practice larger data volumes are encrypted using symmetric encryption, e.g. AES. However, symmetric encryption has the problem that the communication partners have to exchange the symmetric key. Asymmetric encryption, e.g. RSA, is typically used for this purpose (hybrid encryption), since only the public keys are needed for encryption (which can therefore be exchanged over an insecure channel). However, to prevent a deceptive replacement of the public keys (man in the middel attack), a complex public key infrastructure is generally necessary.

SHA1 with RSA encryption: bad length error

AFAIK signing a byte array with RSA-SHA1 generates a byte array (signature) of the same lenght as the RSA key used. Is that right?

Usually yes, although the size will of course be encoded as octet stream (aka byte array) it is possible that the size of the signature is actually up to 7 bits larger. The key size is normally a multiple of 8 (bits) so this doesn't come up much.

From another side signing, roughly means generate a hash using SHA1 (so it is 160 bites long) and then with or without a padding scheme encrypt it with the private key.Is that right?

No, you should never perform modular exponentiation in RSA without padding; a padding scheme is required for security. Note that you should not talk about encryption here. Encryption is used to provide confidentiality. That RSA signature generation and encryption both uses modular exponentiation - although with different keys - doesn't mean one equates the other.

It is important to note that the padding scheme for PKCS#1 v1.5 encryption is different from the one used for signature generation. Furthermore there are also the newer OAEP padding scheme for encryption and the PSS padding scheme for signature generation which are rather distinct.

Later on, in order to recover this hash (with or without padding schema on it) I would need to encrypt the signature with the public key. Is that right?

Perform modular exponentiation and then verify the result, yes. But as the verification requires verifying the padding in a secure way you should really let an API handle this.

Something is broken in my logic because I'm not able to encrypt the signature with the public key.

Try something written for verification instead, like the method VerifyHash as seen in this example.

You can try and find a raw RSA implementation to find out what is within the RSA signature. You should only do this to analyze the signature.

So if you "encrypt" the data with the public key (i.e. just perform modular exponentiation) you would get:

0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003021300906052b0e03021a05000414a2304127e2fe3b8a8203b219feafdd9b58558310

as result. This is clearly PCKS#1 v1.5 padding for signature generation. It includes an encoded hash value:

SEQUENCE(2 elem)
  SEQUENCE(2 elem)
    OBJECT IDENTIFIER1.3.14.3.2.26
    NULL
  OCTET STRING(20 byte) A2304127E2FE3B8A8203B219FEAFDD9B58558310

What is the limit to the variety of strings that can be encrypted/decrypted using RSACryptoServiceProvider (C#)?

Based on comments from Klaus Gütte and Topaco, I'm satisfied with the response!

The problem is caused by the size of the input string, the limit of the input so is the size of the input according to the question linked by Klaus, and this size depends on the size configured for the encryption key as mentioned by Topaco!

Link to cause clarification: System.Security.Cryptography.CryptographicException : Bad length in RSACryptoserviceProvider

Link to clarify input size limit: https://crypto.stackexchange.com/questions/42097/what-is-the-maximum-size-of-the-plaintext-message-for-rsa-oaep/42100# 42100

More specifically: https://www.rfc-editor.org/rfc/rfc8017#section-7.1.1

Print RSAES-OAEP-ENCRYPT standars

Sample Image

In my specific case, the maximum length of strings accepted by the encrypt/decrypt methods was 214 (Length). Test with 100k random strings and it worked perfectly! However, passing a string size >= 215 already generates the "Bad length" exception.

Success with length <= 214

Sample Image

Fail with 215

Sample Image

Thanks a lot for the help guys!!

RSA Encryption Problem [Size of payload data]

In the basic RSA algorithm (without padding) which is not very secure the size of the message is limited to be smaller than the modulus.

To enhance the security of RSA you should use padding schemes as defined in PKCS1. Depending on the scheme you choose the size of the message can be significantly smaller than the modulus.
http://en.wikipedia.org/wiki/PKCS1


Related Topics

Write Bytes to File

Ms Chart Rectangular Annotation Width in Percent and Not Pixel

Installing Windows Service Programmatically

Associate a Private Key with the X509Certificate2 Class in .Net

Httpclient Single Instance with Different Authentication Headers

Iis Express Immediately Shutting-Down Running Site After Stopping Web Application

How Does Extern Work in C#

Best Way to Check for Nullable Bool in a Condition Expression (If ...)

Why am I Getting an Out of Memory Exception in My C# Application

Can a Tcp C# Client Receive and Send Continuously/Consecutively Without Sleep

How to Find Reason of Failed Build Without Any Error or Warning

Find Image Format Using Bitmap Object in C#

Determine Client's Computer Name

How to Detect Working Internet Connection in C#

How to Loop Over the Properties of a Class

Initializing an Array of Structs in C#

In C# What Category Does the Colon ":" Fall Into, and What Does It Really Mean

Why Are There System.*.* Dlls in My Bin Release Directory


Leave a reply



Submit