Can one encrypt with a private key/decrypt with a public key?

Question

[Disclaimer: I know, if you know anything about crypto you\'re probably about to tell me why I\'m doing it wrong - I\'ve done enough Googling to know this seems to be the ty

Answer 1

Nate Lawson explains here and here why you can't securely use the public key as a closely-held secret decryption key (it's a subtle point, and a mistake plenty of others have made before you, so don't feel bad!).

Just use your public key to sign for authenticity, and a separate symmetric key for the secrecy.

I've read enough on interesting attacks against public key systems, and RSA in particular, that I agree absolutely with this conclusion:

Public key cryptosystems and RSA in particular are extremely fragile. Do not use them differently than they were designed.

(That means: Encrypt with the public key, sign with the private key, and anything else is playing with fire.)

Addendum:

If you're interesting in reducing the size of the resulting cookies, you should consider using ECDSA rather than RSA to produce the signatures - ECDSA signatures are considerably smaller than RSA signatures of an equivalent security factor.