[raverbashing]

Actually RSA has several "gotchas", so it is not that it has held up but people have managed to work around those gotchas into a working encryption system

(Basically your data is not encrypted with RSA, you encrypt a secondary key, send it with RSA but the main encryption is AES see https://en.wikipedia.org/wiki/Transport_Layer_Security#Key_e... )

[scrapheap]

There's "gotchas" with every encryption scheme - in fact whenever TLS uses any Public Key encryption scheme it'll pair it with a Symmetric Key encryption scheme. So you could say that by your definition no Public Key encryption scheme has "held up" and they've all had to be worked round :)

There are benefits to pairing the slower Public Key schemes with a Symmetric Key encryption scheme using a session key, as you get the benefits of an Public Key encryption scheme with the performance of a Symmetric Key encryption scheme.

[fharding]

Key exchange is done for speed (symmetric key crypto is way faster than public key) and forward secrecy. It’s not done because RSA is flawed per se. We use DH instead of e.g. ElGamal encryption for the same reasons.

[raverbashing]

Yeah it's not so much of a flaw of RSA, but encrypting pure text with it for example is more complicated (and has more caveats with padding, etc) than just encrypting a fixed amount of bytes

[sk5t]

Don’t think this merits an “actually” - using a session key et al. is basic usage and does not bear on the strength of RSA itself.

[admax88qqq]

A lot of the RSA gotchas are due to trying to take implementation shortcuts either for convenience or speed.

If you don’t choose your primes truly randomly for example.

Using a secondary key and using RSA for the key share is not about avoiding RSA gotchas it’s just about performance.