PKCS#1 OAEP (RSA)

PKCS#1 OAEP is an asymmetric cipher based on RSA and the OAEP padding. It is described in RFC8017 where it is called RSAES-OAEP.

It can only encrypt messages slightly shorter than the RSA modulus (a few hundred bytes).

The following example shows how you encrypt data by means of the recipient’s public key (here assumed to be available locally in a file called public.pem):

>>> from Crypto.Cipher import PKCS1_OAEP
>>> from Crypto.PublicKey import RSA
>>>
>>> message = b'You can attack now!'
>>> key = RSA.importKey(open('public.pem').read())
>>> cipher = PKCS1_OAEP.new(key)
>>> ciphertext = cipher.encrypt(message)

The recipient uses its own private key to decrypt the message. We assume the key is stored in a file called private.pem:

>>> key = RSA.importKey(open('private.pem').read())
>>> cipher = PKCS1_OAEP.new(key)
>>> message = cipher.decrypt(ciphertext)

Warning

PKCS#1 OAEP does not guarantee authenticity of the message you decrypt. Since the public key is not secret, everybody could have created the encrypted message. Asymmetric encryption is typically paired with a digital signature.

Note

This module does not generate nor load RSA keys. Refer to the Crypto.PublicKey.RSA module.

RSA encryption protocol according to PKCS#1 OAEP

See RFC3447 or the original RSA Labs specification .

This scheme is more properly called RSAES-OAEP.

As an example, a sender may encrypt a message in this way:

>>> from Crypto.Cipher import PKCS1_OAEP
>>> from Crypto.PublicKey import RSA
>>>
>>> message = 'To be encrypted'
>>> key = RSA.importKey(open('pubkey.der').read())
>>> cipher = PKCS1_OAEP.new(key)
>>> ciphertext = cipher.encrypt(message)

At the receiver side, decryption can be done using the private part of the RSA key:

>>> key = RSA.importKey(open('privkey.der').read())
>>> cipher = PKCS1_OAP.new(key)
>>> message = cipher.decrypt(ciphertext)
undocumented:

__revision__, __package__

class Crypto.Cipher.PKCS1_OAEP.PKCS1OAEP_Cipher(key, hashAlgo, mgfunc, label)

This cipher can perform PKCS#1 v1.5 OAEP encryption or decryption.

can_decrypt()

Return True/1 if this cipher object can be used for decryption.

can_encrypt()

Return True/1 if this cipher object can be used for encryption.

decrypt(ct)

Decrypt a PKCS#1 OAEP ciphertext.

This function is named RSAES-OAEP-DECRYPT, and is specified in section 7.1.2 of RFC3447.

Parameters:
ctstring

The ciphertext that contains the message to recover.

Return:

A string, the original message.

Raise ValueError:

If the ciphertext length is incorrect, or if the decryption does not succeed.

Raise TypeError:

If the RSA key has no private half.

encrypt(message)

Produce the PKCS#1 OAEP encryption of a message.

This function is named RSAES-OAEP-ENCRYPT, and is specified in section 7.1.1 of RFC3447.

Parameters:
messagestring

The message to encrypt, also known as plaintext. It can be of variable length, but not longer than the RSA modulus (in bytes) minus 2, minus twice the hash output size.

Return:

A string, the ciphertext in which the message is encrypted. It is as long as the RSA modulus (in bytes).

Raise ValueError:

If the RSA key length is not sufficiently long to deal with the given message.

Crypto.Cipher.PKCS1_OAEP.new(key, hashAlgo=None, mgfunc=None, label=b'')

Return a cipher object PKCS1OAEP_Cipher that can be used to perform PKCS#1 OAEP encryption or decryption.

Parameters:
keyRSA key object

The key to use to encrypt or decrypt the message. This is a Crypto.PublicKey.RSA object. Decryption is only possible if key is a private RSA key.

hashAlgohash object

The hash function to use. This can be a module under Crypto.Hash or an existing hash object created from any of such modules. If not specified, Crypto.Hash.SHA (that is, SHA-1) is used.

mgfunccallable

A mask generation function that accepts two parameters: a string to use as seed, and the lenth of the mask to generate, in bytes. If not specified, the standard MGF1 is used (a safe choice).

labelstring

A label to apply to this particular encryption. If not specified, an empty string is used. Specifying a label does not improve security.

Attention:

Modify the mask generation function only if you know what you are doing. Sender and receiver must use the same one.