tags:

views:

221

answers:

5
+5  Q: 

RSA: Encrypting message using multiple keys

Is it possible to get additional security by encrypting a message using 2 or more RSA keys?

EDIT: A few clarifications:

The context I am most interested in doing this for is encrypting a randomly generated symmetric key.

I don't want to limit the question to encrypting twice in a row; the purpose is to avoid the high computational cost of large RSA keys. Using less straightforward tactics such as breaking the message into parts and encrypting them separately should be considered as an option.

It should be assumed that getting only part of the message is acceptable.

If you know of any publications where this is discussed specifically by an expert, or algorithms that use multiple RSA keys, then please contribute.

+1  A: 

No.

If Key A is compromised than encrypted with A+B will protect against the compromise, but outside that special case, you get no additional benefit.

msw  2010-06-09 05:35:44
Does this mean that `RSA(Key1, RSA(Key2, Message))` can be unencrypted by a single `Key3`? Otherwise, I find it hard to believe that there is "no additional benefit".
Mike  2010-06-09 05:38:35
@mike: I'm pretty sure that Key3 may not exist and that if it does it has a torturous (uninvertable?) relationship with Key1 and Key2. However, I'm not a cryptologist. This is speculation based on the manner in which messages to multiple recipients are encrypted and the use of multi-factor key systems. Don't try this at home, offer void in Nebraska.
msw  2010-06-09 05:48:29
I'm positive that Key3 exists however the relationship is uninvertable. The best case is it's like trying to break RSA(Key1) where compromising part of Key1 won't help. However, Key3 likely has more bits than Key1.
Joshua  2010-06-09 23:35:19
@Joshua: Positive? Then what is it, or at least why are you positive?
GregS  2010-06-10 01:14:36
GregS: Because RSA fails the uniform zero knowledge proof, Key3 must exist (note the algorithm for Key3 is not guaranteed to be RSA). There are no weak plaintexts for RSA so the problem can't get any easier for adding more depth. QED.
Joshua  2010-06-10 01:40:05
@Joshua: That's pretty silly, of course if you allow *any algorithm* you can recover the original plaintext. The question concerns RSA.
GregS  2010-06-13 02:37:23
GregS: no it's not. I'm talking about the complexity of the attack.
Joshua  2010-06-14 01:10:52
+3  A: 
Will  2010-06-09 05:40:39
A: 

Yes!

But do not use raw encryption. Use RSA encryption schema. Instead of reencrypting the encrypted message with the second key, which might have weakening effet (I don't know), use the shared secret algorithm to split your secret in two. The shared secret algorithm make it possible to split a secret in n pieces and ensures that if an attacker manages to get n-1 pieces he knows nothing of the secret. So don't simply split the secret in two.

You can then have more then 2 RSA keys. Another powerful property of the shared secret algorithm is that it is possible to spread the secret over n pieces and require only m pieces, with m smaller than n, to recover the secret. This makes the secret recovery more robust to loss of pieces.

Look here for more information on shared secret: http://en.wikipedia.org/wiki/Shared_secret

chmike  2010-06-09 06:27:17
A: 

In additional to the answers given, it also simply doesn't work unless you do some patching. Very simply, one of the moduli must be larger than the other. If you perform RSA mod the larger modulus first and mod the smaller last you lose information and cannot guarantee successful decryption. The obvious patch is to always encrypt with the smaller modulus first. Of course, you have to perform decryption in the opposite order. Another simple patch is choose moduli that a very close together in size, so that the probability that you encounter a ciphertext that cannot be uniquely decrypted is vanishingly small.

GregS  2010-06-09 23:31:03
A: 

Composing ciphers

Say you have an encryption function E(M, K), where M is the plaintext message and K is the key. Say no known vulnerabilities exist in E.

You generate two completely unrelated keys K1 and K2.

It is guaranteed that if you compose them in the form E(E(M, K1), K2), it is impossible to actually lose security this way. If it was possible to lose security from encrypting E(M, K1), be it with K2 or any other key, the is cipher broken, because an attacker could just do E(E(M, K1), KF) where KF is any key the attacker wishes to choose.

For more info see here.

Encrypting every second block with a different key

The implications here are obvious. Assuming you are using properly composed cryptographic primitives with both encryption function:key combinations, if you encrypt every second block with a different key out of the set of two keys, the attacker can only decrypt the blocks he has the key for.

Longpoke  2010-06-20 19:32:19

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security