PKCS7 (CMS) Encryption vs RSA Encryption

The difference between PKCS7 (CMS) encryption and RSA encryption lies in their purpose, scope, and how they handle encryption.

* Output size differences are described further below.

PKCS7 (CMS) Encryption

• Type: A data format and protocol, not an encryption algorithm itself.
• Purpose: Used for encrypting data and supporting digital signatures in a standard format.
• Mechanism:
  • PKCS7 (or CMS, Cryptographic Message Syntax) typically employs symmetric encryption (e.g., AES) for the bulk of the data.
  • A public-key algorithm (e.g., RSA or ECC) is used to encrypt the symmetric key.
• Scope: A broader encryption scheme that supports multiple recipients, signing, and encryption simultaneously.
• Use Cases:
  • Secure email (S/MIME).
  • Signing and encrypting files in a standardized format.

RSA Encryption

• Type: A specific public-key encryption algorithm.
• Purpose: Encrypts small pieces of data (or keys) using an asymmetric key pair.
• Mechanism:
  • Relies on the mathematical properties of large prime numbers for security.
  • A sender encrypts data with the recipient’s public key, and only the recipient can decrypt it with their private key.
• Scope: Limited to key exchange, small data encryption, and digital signatures.
• Use Cases:
  • Encrypting session keys (used in hybrid encryption systems).
  • Authenticating data with digital signatures.

Encrypted Output Size

The encrypted output size for PKCS7 (CMS) and RSA differs because of the mechanisms they use and the data they handle.

1. PKCS7 (CMS) Encrypted Output Size

PKCS7 (CMS) is a protocol for encrypting and signing data. The size of the encrypted output depends on:

• Payload Size: The input data size directly impacts the output size.
• Symmetric Encryption Algorithm:
  • A symmetric encryption algorithm (e.g., AES) is typically used for the actual data.
  • The encrypted output size will generally be the size of the plaintext, padded to the block size of the symmetric cipher (e.g., AES uses 16-byte blocks).
• Overhead:
  • PKCS7 adds metadata, including encryption algorithm identifiers, key information, and additional structure, which increases the overall size.

Formula for Output Size:

Encrypted Size ≈ (Payload Size + Padding) + PKCS7 Metadata Size

Example:

• Input Data: 24 bytes
• Symmetric Cipher: AES-128 (16-byte block size)
• Padding: Up to 15 bytes
• PKCS7 Metadata: ~300–600 bytes
• Total Size: Approximately 340-640 bytes.

2. RSA Encrypted Output Size

RSA is a public-key encryption algorithm. The size of its encrypted output is fixed and depends on the key size and the padding scheme used:

• Key Size: RSA encrypts data in blocks that are smaller than the key size. For example:
  • A 2048-bit RSA key produces a fixed output size of 256 bytes (2048 bits).
  • A 1024-bit RSA key produces a fixed output size of 128 bytes (1024 bits).
• Padding Scheme:
  • RSA uses padding schemes like PKCS#1 v1.5 or OAEP, which slightly reduce the maximum plaintext size.
  • Padding ensures security and makes the plaintext size smaller than the key size.

Formula for Output Size:

Encrypted Size = Key Size in Bytes

Example:

• RSA Key: 2048 bits (256 bytes)
• Plaintext: 24 bytes
• Encrypted Size: Always 256 bytes, regardless of plaintext size.

 

• PKCS7 output size grows with input size due to the use of symmetric encryption and metadata overhead.
• RSA output size is fixed based on the key size, regardless of the input size. It is typically used for encrypting small pieces of data, like symmetric keys, in combination with protocols like PKCS7.