[CasperDern]

RSA is pretty easy to implement, but hard to get right, PKCS#1v1.5 can be broken using padding attacks, and should not be used. OAEP is generally recommended.

The entire RSA suite (keygen, encrypt/decrypt, padding) can be implemented in about 300 loc[1]. Which is probably why there are so many of these 'walkthroughs'.

[1]: https://github.com/i404788/tiny-rsa

[tptacek]

Very few systems in the real world implement OAEP, and even with OAEP you have to watch out for Manger's padding oracle attack (susceptibility to which may be commented out of the Javascript RSA you've posted here --- I'm like 50/50 on this because I've never taken the time to implement Manger because I've never been professionally asked to look at an OAEP implementation because, again, OAEP is pretty rare --- at this point, if you're designing a modern system, you're not using RSA.)

[commandlinefan]

Well, TLS 1.2 still mandates PKCS 1.5:

"The RSAES-OAEP encryption scheme defined in [PKCS1] is more secure against the Bleichenbacher attack. However, for maximal compatibility with earlier versions of TLS, this specification uses the RSAES-PKCS1-v1_5 scheme." [RFC 5246, 7.4.7.1]