Is it safe to pass the modulus of RSA key through Java Socket connection without encryption?

Question

I'm building a server application in Java that servers clients which are built in Flash using AS3. The as3crypto library needs the modulus of the RSA key in order to do the encryption, so I was thinking to pass the modulus of the key from the server to the client. Is it safe to do that without encrypting the key?

Answer 1

First, SSL/TLS would be a better choice, since it is already a robust (TLS 1.1) protocol, and not something made up. Secondly, passing the modulus is ok. At least, it should be. If you are using RSA properly, your Modulus should be composed of two primes, each one at least 1024bits long. You only have to be really careful what exactly you pass. There are two parts of an RSA (Public Crypto System) key. One public, one private. In RSA you can only pass the product of your primes though an open channel (this provides NO authentication at ALL). Not the exponent. You can't encrypt your modulus, because then you would have to crack the second envelope and would still get to your modulus, which only shifts the problem to knowing the outer modulus.

I have to admit, using a TLS layer would make you much safer. Use something that is already there, and if you really want to have your own protocol, yes, you can pass the Modulus safely. (In most cases. Although in cryptography, there is never any guarantee that any protocol is robust)