AES encrypted communication using RSA for key exchange in Go

Question

I'm trying to set up a secure communication between a Ruby Sinatra based web-backend and a Google Go application. The Go application contains the public key and initially opens the connection. It then encrypts the random generated AES with its public key and sends it to the web-backend. All upcoming (large-size) data will be encrypted using the AES key. Is this a usable approach in general?

The Go code looks like this

aesRand := make([]byte, 32)
rand.Read(aesRand)
AESBlock, _ = aes.NewCipher(aesRand)

// Encrypt AES key with RSA
data, err := rsa.EncryptPKCS1v15(rand.Reader, PubKey, aesRand)

Now the question is, is it right to encrypt and send the random bytes over the line or should I encrypt and send the AESBlock?

Thanks in advance!

Answer 1

You should encrypt and send the aesRand otherwise known as the key using RSA.

You'll also need to pass an IV depending on which crypto mode you are using.

len(KEY) + len(IV) must be less than len(PubKey) assuming you are going to encrypt them both toghether in the initial RSA transaction.

Read the docs for the rsa module carefully to note the weaknesses of each mode. You should use the DecryptPKCS1v15SessionKey to decrypt the above. Note the comment about using RSA-OAEP in new protocols.

If you are doing this as a learning experience then fine, but if this is code is to protect information which will cost real money if compromised then I'd use TLS which will do all of the above and more in a well tested framework.