PKCS#1 v1.5 encryption (RSA)


Use PKCS#1 OAEP (RSA) instead. This module is provided only for legacy purposes.

See RFC8017 or the original RSA Labs specification .

This scheme is more properly called RSAES-PKCS1-v1_5.

As an example, a sender may encrypt a secret AES key in this way:

>>> from Crypto.Cipher import PKCS1_v1_5
>>> from Crypto.PublicKey import RSA
>>> from Crypto.Random import get_random_bytes
>>> aes_key = get_random_bytes(16)
>>> rsa_key = RSA.importKey(open('pubkey.der').read())
>>> cipher =
>>> ciphertext = cipher.encrypt(aes_key)

At the receiver side, decryption can be done using the private part of the RSA key:

>>> from Crypto.Random import get_random_bytes
>>> rsa_key = RSA.importKey(open('privkey.der').read())
>>> sentinel = get_random_bytes(16)
>>> cipher =
>>> aes_key = cipher.decrypt(ciphertext, sentinel, expected_pt_len=16)
>>> # The AES key is the random sentinel in case of error, randfunc=None)

Create a cipher for performing PKCS#1 v1.5 encryption or decryption.

  • key (RSA key object) – The key to use to encrypt or decrypt the message. This is a Crypto.PublicKey.RSA object. Decryption is only possible if key is a private RSA key.
  • randfunc (callable) – Function that return random bytes. The default is Crypto.Random.get_random_bytes().

A cipher object PKCS115_Cipher.

class Crypto.Cipher.PKCS1_v1_5.PKCS115_Cipher(key, randfunc)

This cipher can perform PKCS#1 v1.5 RSA encryption or decryption. Do not instantiate directly. Use instead.


Return True if this cipher object can be used for decryption.


Return True if this cipher object can be used for encryption.

decrypt(ciphertext, sentinel, expected_pt_len=0)

Decrypt a PKCS#1 v1.5 ciphertext.

This is the function RSAES-PKCS1-V1_5-DECRYPT specified in section 7.2.2 of RFC8017.

  • ciphertext (bytes/bytearray/memoryview) – The ciphertext that contains the message to recover.
  • sentinel (any type) – The object to return whenever an error is detected.
  • expected_pt_len (integer) – The length the plaintext is known to have, or 0 if unknown.
Returns (byte string):
It is either the original message or the sentinel (in case of an error).


PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks (see Bleichenbacher’s attack). Use PKCS#1 OAEP instead.

This implementation attempts to mitigate the risk with some constant-time constructs. However, they are not sufficient by themselves: the type of protocol you implement and the way you handle errors make a big difference.

Specifically, you should make it very hard for the (malicious) party that submitted the ciphertext to quickly understand if decryption succeeded or not.

To this end, it is recommended that your protocol only encrypts plaintexts of fixed length (expected_pt_len), that sentinel is a random byte string of the same length, and that processing continues for as long as possible even if sentinel is returned (i.e. in case of incorrect decryption).


Produce the PKCS#1 v1.5 encryption of a message.

This function is named RSAES-PKCS1-V1_5-ENCRYPT, and it is specified in section 7.2.1 of RFC8017.

Parameters:message (bytes/bytearray/memoryview) – The message to encrypt, also known as plaintext. It can be of variable length, but not longer than the RSA modulus (in bytes) minus 11.
Returns:A byte string, the ciphertext in which the message is encrypted. It is as long as the RSA modulus (in bytes).
Raises ValueError:
 If the RSA key length is not sufficiently long to deal with the given message.