000027132 - RKM: Size of encrypted data and HMACs including headers

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027132
Applies ToKey Manager Client 1.5.x
Key Manager Client 2.1.x
Key Manager Client 2.5.x
Key Manager Client 2.7.x
IssueRKM: Size of encrypted data and HMACs including headers
Notes

RKM Client 1.5.x
----------------

                                Min      Max      Note     
KeyId+separator    2         11         The Key ID length depends on the key id - it could be as small as 1 digit, plus a null terminator     
HashLen                  32                    The hash is always 256 bits (sha-256), or 32 bytes     
IV                            16                     The initialization vector is random data for each encryption operation, and is always 16 bytes     

HMAC RKM returns Total HMAC Size = KeyID + null (byte) + HashLen (32 bytes)       
        
 Min Max      
Binary 34 43 Hashing always returns the same size result, regardless of data size, the variablility in the output size has to do with the KeyID (which is prepended to the data)     
base64 48 60      

Encrypt RKM returns Total Encrypted Size = KeyId + null (byte) + IV + Encrypted Blocks (in bytes)        
        
ClearText Size           1 15 16 31 32 47 48 63
ClearText BlockSize 16 16 32 32 48 48 64 64 This is the block size that the cleartext is "rounded up to" - it's always a multiple of 16
         
Min Encrypted Size  34 34 50 50 66 66 82 82 
Max Encrypted Size 43 43 59 59 75 75 91 91 
         
Min Encrypted (Base64)  48 48 68 68   88   88 112 112 
Max Encrypted (Base64) 60 60 80 80 100 100 124 124 


RKM Client 2.1.x - 2.5.x
------------------
         
The RKM 2.1.x client has a fixed header size that includes the KeyID and IV etc.:         

                                  Min      Max     

V2.1 Header Size      121      121       
V2.1 HMAC Header    90        90       

ClearText Size           1 15 16 31 32 47 48 63 
ClearText BlockSize 16 16 32 32 48 48 64 64 This is the block size that the cleartext is "rounded up to" - it's always a multiple of 16
         
HMAC RKM returns Total HMAC Size = Header + HashLen (32 bytes)        
         
HMAC                               122 122 122 122 122 122 122 122 
HMAC (Base64 Encoded) 164 164 164 164 164 164 164 164 
         
Encrypted RKM returns Total Encrypted Size = Header + Encrypted Blocks (in bytes)         
         
Encrypted                137 137 153 153 169 169 185 185 
Encrypted (Base64) 184 184 204 204 228 228 248 248 


The 2.5 client uses the 2.1 header format.
The size of encrypted data depends on the encryption algorithm. To start with, there is a huge difference between symmetric and asymmetric encryption. The size of data encrypted with a symmetric key is the size of the original data, plus up to an additional block for padding (8 bytes for DES, 16 bytes for AES). With symmetric encryption, the size of the key is not important. The size of data encrypted with an asymmetric key, however, is a multiple of the modulus size (the key size). This does not include the RKM headers, or base64 encoding.

Assuming that you are using symmetric encryption with AES, the size of the encrypted data will be the original data size, plus up to 16 bytes, plus the size of the RKM header, all multiplied by 4/3 if base64 encoded.

The RKM header sizes are:

1.5: KEYID + TERMINATOR + IV

= 2-11 bytes + 2 bytes + 16 bytes for AES

= 18-27 bytes

2.1: 121 bytes

2.7: 121 bytes (same as 2.1) + 16 bytes (for MUID instead of UUID) + (when not connected to the server and in high availability mode) 49 bytes for the originator ID = 137 - 186 bytes (usually 186)

Of course, the 2.7 header format also allows unlimited optional tags and attributes that could make it as large as you like.

See a48314 for a more detailed description of the contents of the various header formats.
Legacy Article IDa49302

Attachments

    Outcomes