How to encrypt using RSA-OAEP for multiple recipient?

[rajesh-vi]

Hi,

As you know following example is explains encryption for the single public key.
https://github.com/diafygi/webcrypto-examples#rsa-oaep---encrypt

So is there any way to encrypt data for multiple public key (so multiple key owner can decrypt data using their private key).

If that is not possible using RSA-OAEP, can you please suggest way for the same?

Thanks

[ColtonProvias]

The method that you usually do multi-recipient encryption is through key agreement and key wrapping. All users end up using the same content encryption key and thus you only do the main encryption once.

Given an arbitrary amount of data and a set of public keys corresponding to the recipients:

1. Generate a symmetric content encryption key (CEK) to perform AES with.
2. Encrypt the data with your desired mode of AES.

Then for each recipient:

1. Generate an ephemeral private/public key pair.
2. Use the ephemeral private key and the recipient's public key to derive a key encryption key.
3. Wrap the content encryption key with the key encryption key that you derived.
4. Create a hash or something that contains the wrapped key and the ephemeral public key.

You then send the encrypted message with the wrapped keys and ephemeral public keys to all recipients. Each recipient tries every wrapped key/ephemeral public key pair doing key derivation and attempting decryption until successful.

In some of my projects, I implement exactly this. The encryption algorithm I use is AES-256-GCM. For PKI recipients, they are using ECDH keys, so an ephemeral ECDH key is generated for each, ECDH is performed, and the result of that is passed through SHA-256 before being used as the KEK to wrap the CEK via AES-256-KW. In some cases, the recipient is the originating user, in which case their credentials are used to derive a key via a key derivation function (currently either scrypt, pbkdf2, or Argon2id) and that is the KEK used to wrap the CEK via AES-256-KW.