PKCS#1 v1.5 encryption (RSA)¶
Warning
Use PKCS#1 OAEP (RSA) instead. This module is provided only for legacy purposes.
See RFC8017 or the original RSA Labs specification .
This scheme is more properly called RSAESPKCS1v1_5
.
As an example, a sender may encrypt a secret AES key in this way:
>>> from Crypto.Cipher import PKCS1_v1_5
>>> from Crypto.PublicKey import RSA
>>> from Crypto.Random import get_random_bytes
>>>
>>> aes_key = get_random_bytes(16)
>>>
>>> rsa_key = RSA.importKey(open('pubkey.der').read())
>>> cipher = PKCS1_v1_5.new(rsa_key)
>>> ciphertext = cipher.encrypt(aes_key)
At the receiver side, decryption can be done using the private part of the RSA key:
>>> from Crypto.Random import get_random_bytes
>>>
>>> rsa_key = RSA.importKey(open('privkey.der').read())
>>>
>>> sentinel = get_random_bytes(16)
>>>
>>> cipher = PKCS1_v1_5.new(rsa_key)
>>> aes_key = cipher.decrypt(ciphertext, sentinel, expected_pt_len=16)
>>>
>>> # The AES key is the random sentinel in case of error

Crypto.Cipher.PKCS1_v1_5.
new
(key, randfunc=None)¶ Create a cipher for performing PKCS#1 v1.5 encryption or decryption.
Parameters:  key (RSA key object) – The key to use to encrypt or decrypt the message. This is a Crypto.PublicKey.RSA object. Decryption is only possible if key is a private RSA key.
 randfunc (callable) – Function that return random bytes.
The default is
Crypto.Random.get_random_bytes()
.
Returns: A cipher object PKCS115_Cipher.

class
Crypto.Cipher.PKCS1_v1_5.
PKCS115_Cipher
(key, randfunc)¶ This cipher can perform PKCS#1 v1.5 RSA encryption or decryption. Do not instantiate directly. Use
Crypto.Cipher.PKCS1_v1_5.new()
instead.
can_decrypt
()¶ Return True if this cipher object can be used for decryption.

can_encrypt
()¶ Return True if this cipher object can be used for encryption.

decrypt
(ciphertext, sentinel, expected_pt_len=0)¶ Decrypt a PKCS#1 v1.5 ciphertext.
This is the function
RSAESPKCS1V1_5DECRYPT
specified in section 7.2.2 of RFC8017.Parameters:  ciphertext (bytes/bytearray/memoryview) – The ciphertext that contains the message to recover.
 sentinel (any type) – The object to return whenever an error is detected.
 expected_pt_len (integer) – The length the plaintext is known to have, or 0 if unknown.
 Returns (byte string):
 It is either the original message or the
sentinel
(in case of an error).
Warning
PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks (see Bleichenbacher’s attack). Use PKCS#1 OAEP instead.
This implementation attempts to mitigate the risk with some constanttime constructs. However, they are not sufficient by themselves: the type of protocol you implement and the way you handle errors make a big difference.
Specifically, you should make it very hard for the (malicious) party that submitted the ciphertext to quickly understand if decryption succeeded or not.
To this end, it is recommended that your protocol only encrypts plaintexts of fixed length (
expected_pt_len
), thatsentinel
is a random byte string of the same length, and that processing continues for as long as possible even ifsentinel
is returned (i.e. in case of incorrect decryption).

encrypt
(message)¶ Produce the PKCS#1 v1.5 encryption of a message.
This function is named
RSAESPKCS1V1_5ENCRYPT
, and it is specified in section 7.2.1 of RFC8017.Parameters: message (bytes/bytearray/memoryview) – The message to encrypt, also known as plaintext. It can be of variable length, but not longer than the RSA modulus (in bytes) minus 11. Returns: A byte string, the ciphertext in which the message is encrypted. It is as long as the RSA modulus (in bytes). Raises ValueError: If the RSA key length is not sufficiently long to deal with the given message.
