So i came across three padding scheme for RSA: PKCS1, PSS and OAEP. My intention here is to encrypt a file using AES key. then, encrypt the AES key with the RSA key and save the encrypted AES key along with the encrypted file. My question is which one of the padding schemes above best suits my purpose. Needless to say security is top priority for me and using compromised algorithm is off the table. Thanks in advance
Add a comment
|
1 Answer
$\begingroup$
$\endgroup$
PKCS#1 contains 4 padding schemes, of which only 2 are suitable for encryption, but only of small data blocks (like up to hundred bytes): the modern RSAES-OAEP, and the obsolete RSAES-PKCS1-v1_5 (which drawbacks include being harder to guard against decryption oracle attacks on the padding). PSS, aka RSASSA-PSS, is strictly for signature.
For comfortable security, AES-GCM-SIV with a random 256-bit key encrypted per RSA-4096 using RSAES-OAEP with SHA-512 and MGF1 using SHA-512, would tick all the boxes (on crypto algorithm choices, ignoring implementation isssues) except resistance to hypothetical quantum computers usable for cryptanalysis. The modern baseline would be RSA-2048 using RSAES-OAEP with SHA-256 and MGF1 using SHA-256.
