PKCS#1 v1.5 encryption (RSA)¶
Use PKCS#1 OAEP (RSA) instead. This module is provided only for legacy purposes.
This scheme is more properly called
As an example, a sender may encrypt a secret AES key in this way:
>>> from Crypto.Cipher import PKCS1_v1_5 >>> from Crypto.PublicKey import RSA >>> from Crypto.Random import get_random_bytes >>> >>> aes_key = get_random_bytes(16) >>> >>> rsa_key = RSA.importKey(open('pubkey.der').read()) >>> cipher = PKCS1_v1_5.new(rsa_key) >>> ciphertext = cipher.encrypt(aes_key)
At the receiver side, decryption can be done using the private part of the RSA key:
>>> from Crypto.Random import get_random_bytes >>> >>> rsa_key = RSA.importKey(open('privkey.der').read()) >>> >>> sentinel = get_random_bytes(16) >>> >>> cipher = PKCS1_v1_5.new(rsa_key) >>> aes_key = cipher.decrypt(ciphertext, sentinel, expected_pt_len=16) >>> >>> # The AES key is the random sentinel in case of error
Create a cipher for performing PKCS#1 v1.5 encryption or decryption.
- key (RSA key object) – The key to use to encrypt or decrypt the message. This is a Crypto.PublicKey.RSA object. Decryption is only possible if key is a private RSA key.
- randfunc (callable) – Function that return random bytes.
The default is
A cipher object PKCS115_Cipher.
This cipher can perform PKCS#1 v1.5 RSA encryption or decryption. Do not instantiate directly. Use
Return True if this cipher object can be used for decryption.
Return True if this cipher object can be used for encryption.
decrypt(ciphertext, sentinel, expected_pt_len=0)¶
Decrypt a PKCS#1 v1.5 ciphertext.
This is the function
RSAES-PKCS1-V1_5-DECRYPTspecified in section 7.2.2 of RFC8017.
- ciphertext (bytes/bytearray/memoryview) – The ciphertext that contains the message to recover.
- sentinel (any type) – The object to return whenever an error is detected.
- expected_pt_len (integer) – The length the plaintext is known to have, or 0 if unknown.
- Returns (byte string):
- It is either the original message or the
sentinel(in case of an error).
PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks (see Bleichenbacher’s attack). Use PKCS#1 OAEP instead.
This implementation attempts to mitigate the risk with some constant-time constructs. However, they are not sufficient by themselves: the type of protocol you implement and the way you handle errors make a big difference.
Specifically, you should make it very hard for the (malicious) party that submitted the ciphertext to quickly understand if decryption succeeded or not.
To this end, it is recommended that your protocol only encrypts plaintexts of fixed length (
sentinelis a random byte string of the same length, and that processing continues for as long as possible even if
sentinelis returned (i.e. in case of incorrect decryption).
Produce the PKCS#1 v1.5 encryption of a message.
This function is named
RSAES-PKCS1-V1_5-ENCRYPT, and it is specified in section 7.2.1 of RFC8017.
Parameters: message (bytes/bytearray/memoryview) – The message to encrypt, also known as plaintext. It can be of variable length, but not longer than the RSA modulus (in bytes) minus 11. Returns: A byte string, the ciphertext in which the message is encrypted. It is as long as the RSA modulus (in bytes). Raises ValueError: If the RSA key length is not sufficiently long to deal with the given message.