https://stackoverflow.com/questions/20455393
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianYou cannot use encrypt using just AES if you've been given an RSA public key. You need to use hybrid encryption: generate a random AES key of 16, 24 or 32 bytes, then encrypt. You can keep to a zero IV if you generate a new AES key for each encryption.
The AES key itself can then be encrypted using the public key you've been given, using either OAEP or - for backwards compatibility - PKCS#1 v1.5 padding.
The default module does not seem to use padding, if I read the documentation correctly. I've found a padding/unpadding routine on pastebin, thanks go to Peter for sharing:
def pkcs7_pad(data, blocksize=16):
padlen = blocksize - len(data) % blocksize
return data + bytes([padlen]) * padlen
def pkcs7_unpad(data, blocksize=16):
if data:
padlen = data[-1]
if 0 < padlen < blocksize:
if data.endswith(bytes([padlen]) * padlen):
return data[:-padlen]
raise ValueError('incorrect padding')
Note that just encryption is not secure if you are using this over a communication channel. It is required to add a message authentication code (MAC), even if you just require confidentiality of the plaintext. Incorrect use of CBC mode encryption may make the protocol vulnerable to padding oracle attacks.
