Noob Question - Why create ephemeral key and symmetrically encrypt?

[jimmykane]

Hi there,

Great work on this repo. Though for my understanding I would like to know why, since you have a KeyPair, do you need to go into creating ephemeral keys add symmetric encryption and complicate this?

Would it not suffice just to use RSA() and the keyPair to handle encryption and decryption ?

I am asking this because the decision to support this packaged ephemeral key only brings problems for example the php-encryption incopatible upgrade and beats it's purpose since you don't reuse the ephemeral key (for multiple KEK).

Am I missing something here?

[paragonie-scott]

Would it not suffice just to use RSA() and the keyPair to handle encryption and decryption ?

Nope.

Encrypting a large amount of text (say, 128 MB) with a given public key is actually disaster-prone.

What you end up doing is slicing your message into distinct "blocks" and then encrypting each block independently. This is painfully slow, but also, it allows an attacker to trivially reorder/drop/repeat blocks at will.

In Java, this is what you get with RSA/ECB.

What EasyRSA does instead is what's called a "hybrid cryptosystem": You encrypt the message with fast symmetric encryption, then encrypt the symmetric key using RSA. This gives you the best of several worlds:

1. You can use authenticated encryption on your actual message, without having to worry about what RSA is doing.
2. AES-256-CTR then HMAC-SHA256 is much faster than encrypting a large amount of text with RSA.
3. The ephemeral AES key can only be decrypted by the RSA private key, thus offering something analogous to forward secrecy (from the sender's perspective) to the message encryption.

What libsodium does in \Sodium\crypto_box_seal() is actually much easier to reason about than RSA and AES.

I am asking this because the decision to support this packaged ephemeral key only brings problems for example the php-encryption incopatible upgrade and beats it's purpose since you don't reuse the ephemeral key (for multiple KEK).

I'm not sure what you mean.

[jimmykane]

Super. This clears up most of the questions I had.

Regarding the last part:

• You use under the hood php-encryption.
• We started using this project at v0.2.0 which had as a dependency php-encryption v1.2.1
• We tried some days ago to update to latest of this project. All hell broke loose. That is because php-encryption did a breaking change at v.2.0.0. The symmetric key length changed and broke all decryption. I had to reverse engineer this and php-encryption to manage to find why decryption would fail.

Considering the above, the hybrid cryptosystem you mentioned, broke because there are no standards (php-encryption and what it does is not a standard) on the symmetric encryption part.

I kinda feel I want to say thanks even I had to work my \ out because you have good quality code and I learned a lot. My 2c here.

[paragonie-scott]

Ah, sorry about the trouble with that.

If you need something that works without creating dependency hell, Zend\Crypt 3.1.0 offers a hybrid cryptosystem based on RSA + AES-CBC, which I personally reviewed and didn't find any vulnerabilities in it.

EasyRSA was always intended to be used with defuse v2.0.x and newer, because of a lot of subtle theoretical reasons (mostly related to birthday collision probabilities) with v1.2.1.

[jimmykane]

Yeah. The v1.2.1 was very bad as of quality, crypto and performance. Thanks for all and keep up the good work guys!