Comments (1)
The section in question says (with our emphasis):
- Encryption (KEM+DEM)
- Generates an random secret value
- Encrypts the random secret value with your RSA public key, using PHPSecLib
(RSAES-OAEP + MGF1-SHA256)- Derives an encryption key from the secret value and its RSA-encrypted ciphertext,
using HMAC-SHA256.- Encrypts your plaintext message using defuse/php-encryption
(authenticated symmetric-key encryption)- Calculates a checksum of both encrypted values (and a version tag)
- Authentication
- Signs a message using PHPSecLib (RSASS-PSS + MGF1-SHA256)
That's the symmetric key (in bold). It's not transmitted; it must be recalculated by the recipient. In order to recalculate the same value, you must be able to decrypt the RSA ciphertext (first step), then HMAC the RSA plaintext with the RSA ciphertext. Only then can you decrypt the actual plaintext.
This strategy is an all-or-nothing derivation, which means you can't exploit padding oracles (provided the subsequent steps are constant-time).
from easyrsa.
Related Issues (16)
- Todo: Generate password-protected private keys. HOT 9
- Rethink strategy HOT 1
- Export public key HOT 1
- text removed
- RSA encryption doesn't actually use RSAES-OAEP + MGF1+SHA256(?) HOT 7
- [ISSUE] Decryption failed with Message encrypted by Public Key generated by Mailvelope HOT 4
- EasyRSA creates .rnd file in website root HOT 1
- Help to translate javascript encoding to php HOT 2
- Missing support for `phpseclib/phpseclib` v3
- Ephemeral key should be "Symmetric key agreement key" HOT 2
- Discussion: the purpose of a checksum HOT 1
- Support private key encryption, public key decryption HOT 5
- Noob Question - Why create ephemeral key and symmetrically encrypt? HOT 4
- Remove phpseclib dependency HOT 1
- Rebrand Library? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from easyrsa.