diff --git a/mod/common/src/main/java/gjum/minecraft/mapsync/common/net/SyncClient.java b/mod/common/src/main/java/gjum/minecraft/mapsync/common/net/SyncClient.java
index 5c3f9d5..5730b8f 100644
--- a/mod/common/src/main/java/gjum/minecraft/mapsync/common/net/SyncClient.java
+++ b/mod/common/src/main/java/gjum/minecraft/mapsync/common/net/SyncClient.java
@@ -14,6 +14,9 @@
 import io.netty.channel.socket.nio.NioSocketChannel;
 import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
 import io.netty.handler.codec.LengthFieldPrepender;
+import java.security.spec.MGF1ParameterSpec;
+import javax.crypto.spec.OAEPParameterSpec;
+import javax.crypto.spec.PSource;
 import net.minecraft.client.Minecraft;
 import net.minecraft.client.User;
 import net.minecraft.world.level.ChunkPos;
@@ -267,7 +270,7 @@ void setUpEncryption(ChannelHandlerContext ctx, ClientboundEncryptionRequestPack
 						encrypt(packet.publicKey, sharedSecret),
 						encrypt(packet.publicKey, packet.verifyToken)));
 			} catch (NoSuchAlgorithmException | InvalidKeyException | NoSuchPaddingException | BadPaddingException |
-			         IllegalBlockSizeException e) {
+                     IllegalBlockSizeException | InvalidAlgorithmParameterException e) {
 				shutDown();
 				throw new RuntimeException(e);
 			}
@@ -283,9 +286,15 @@ void setUpEncryption(ChannelHandlerContext ctx, ClientboundEncryptionRequestPack
 		}
 	}
 
-	private static byte[] encrypt(PublicKey key, byte[] data) throws NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, InvalidKeyException {
-		Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
-		cipher.init(Cipher.ENCRYPT_MODE, key);
+	private static byte[] encrypt(PublicKey key, byte[] data) throws NoSuchPaddingException, NoSuchAlgorithmException, BadPaddingException, IllegalBlockSizeException, InvalidKeyException, InvalidAlgorithmParameterException {
+		Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
+		// https://docs.openssl.org/master/man3/RSA_public_encrypt/#description
+		cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec(
+			"SHA-256",
+			"MGF1",
+			new MGF1ParameterSpec("SHA-256"),
+			PSource.PSpecified.DEFAULT
+		));
 		return cipher.doFinal(data);
 	}
 }
diff --git a/server/src/server.ts b/server/src/server.ts
index 73e21bf..fe2a562 100644
--- a/server/src/server.ts
+++ b/server/src/server.ts
@@ -17,7 +17,7 @@ export class TcpServer {
     server: net.Server;
     clients: Record<number, TcpClient> = {};
 
-    keyPair = crypto.generateKeyPairSync("rsa", { modulusLength: 1024 });
+    keyPair = crypto.generateKeyPairSync("rsa", { modulusLength: 2048 });
     // precomputed for networking
     publicKeyBuffer = this.keyPair.publicKey.export({
         type: "spki",
@@ -45,7 +45,8 @@ export class TcpServer {
         return crypto.privateDecrypt(
             {
                 key: this.keyPair.privateKey,
-                padding: crypto.constants.RSA_PKCS1_PADDING,
+                padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+                oaepHash: "sha256"
             },
             buf,
         );