Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I found that RSA created a 256 byte message from a 10 byte input string. I was told that this is due to padding? Further read says that RSA without padding is insecure?
This seams like a real drawback to using RSA? Is there a way to use RSA and not create such a network intense load?
Textbook (non-padded ...) RSA has no semantic security, therefore it is not secure against chosen plaintext attacks or ciphertext attacks. This is because, respectively, it is deterministic (encrypting the same message twice produces the same ciphertext) and multiplicatively homomorphic (an encrypted values can be multiplicatively modified under encryption).
Don't be concerned if the ciphertext is longer than the plaintext: this is by design, and "surely your network can handle it."
As far as cryptographic security is concerned, the general rule is that "the cipher, itself" is never what actually fails. Instead, it's something about key management. Therefore, whenever possible, use an encryption suite that handles everything ... "aye, from beginning to end" ... in standard, peer-reviewed ways. Then, implement the suite in your application precisely as is recommended. Secure communications is "ook big voodoo," and these cats know what they're talking about.
All of the currently available civilian-grade encryption systems are sincerely believed (cryptographers never say "known") to provide more-than-enough security "for civilian purposes,", provided that they are deployed in precisely the right way. It matters far less "which [modern ...] cipher you pick," than that you deploy the cipher the total communications infrastructurecorrectly.
(Yes, "your tax dollars are at work." NSA etc. is very heavily involved in cipher system peer-review. Part of their mission is to provide support and expertise to civilian communications security and best-practices.)
Last edited by sundialsvcs; 02-28-2017 at 08:13 PM.
I found that RSA created a 256 byte message from a 10 byte input string. I was told that this is due to padding? Further read says that RSA without padding is insecure?
A ten byte encryption of a ten byte input string can be NOTHING other than character and/or bit transpositions... easily brute forced and trivial to break regardless of how clever the transposition algorithm might be.
ONE of the things that encryption does is to conceal all knowledge of the encrytped message length by padding at some point in the encryption process.
Last edited by astrogeek; 02-28-2017 at 03:49 PM.
Reason: added bits to be complete
Is there a way to use RSA and not create such a network intense load?
You encrypt only a single symmetric key with RSA, then use the symmetric algorithm to encrypt the rest of your data. No practical system uses just RSA by itself.
You encrypt only a single symmetric key with RSA, then use the symmetric algorithm to encrypt the rest of your data. No practical system uses just RSA by itself.
... and this is exactly what well-known systems such as PGP® or GPG already do [for you].
The world of crypto is fraught with traps for the earnest and well-meaning "do it yourselfer," including for example how the symmetric key is chosen, and how it is periodically changed (during a telecommunications session). All the more reason to use an industry-standard, peer-reviewed library to perform the total task of encryption and key-management.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.