Dev to El Reg: Making web pages pretty is harder than building crypto An Australian computer scientist working in Thailand has offered his contribution to Australia's cryptography debate by creating a public-key crypto demonstrator in less than a day, using public APIs and JavaScript. Brandis.io not a useful encryption implementation (the site itself says as much), but is a useful public …
> I spent way more time on [the presentation] than I did on the crypto-using code. Picking a colour scheme took longer than writing the code for generating a public/private key pair.
Oh. We hadn't realised it was so trivial to bypass. Perhaps our efforts would be better spent helping our agencies work together on complex cases and ensuring they have the resources and manpower needed to do their job.
-No government minister ever
The 95 character limit is related to the limit of how much data RSA can encrypt. AES256 can encrypt 256 bits (or 32 characters) with a single key. RSA runs some mathematical operations on the data to be encrypted and the keys and the results can not exceed 2048 bits for 2048 RSA. That limits how much data can be encrypted at once resulting in about 95 bytes depending the keys and data.
Secure communications typically start with creating new random key and using a public/private cipher like RSA, DH or EC to share that key with the other side and then follow that with data encrypted with a block cipher like DES or AES so there is no limit to the message length. Early SSL often did that in weak or broken ways which why we shouldn't be doing that anymore.
Asynchronous encryption (RSA/DH) is also horrendously slow (ballpark x10000 slower than synchronous). If you already have a shared secret, you wouldn't use asynchronous encryption (use AES instead). It's benefit is for sharing that key with a party you haven't met before over an insecure network.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
