Comments on: Why RSA encryption padding is critical http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ Embedded security, crypto, software protection Thu, 09 Sep 2010 12:45:32 +0000 hourly 1 http://wordpress.com/ By: A Lurker http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/#comment-5709 A Lurker Mon, 15 Feb 2010 08:46:01 +0000 http://rdist.root.org/?p=433#comment-5709 <blockquote>an attacker would have to be extremely unlucky to see a message not co-prime to the 6 non-trivial factors of A*B*C</blockquote> I would call that lucky.

an attacker would have to be extremely unlucky to see a message not co-prime to the 6 non-trivial factors of A*B*C

I would call that lucky.

]]> By: Nate Lawson http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/#comment-5382 Nate Lawson Fri, 23 Oct 2009 03:40:50 +0000 http://rdist.root.org/?p=433#comment-5382 Yes, you see the problem. This kind of mistake reveals information about the ciphertext because there is no randomized padding. This is somewhat like reusing an IV with CBC encryption -- you can see patterns in the ciphertext just like ECB. Also, see <a href="http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.6527" rel="nofollow">Coppersmith's attack</a> on low exponent RSA for how to recover plaintext when messages have differing padding that is predictable. Yes, you see the problem. This kind of mistake reveals information about the ciphertext because there is no randomized padding. This is somewhat like reusing an IV with CBC encryption — you can see patterns in the ciphertext just like ECB.

Also, see Coppersmith’s attack on low exponent RSA for how to recover plaintext when messages have differing padding that is predictable.

]]> By: Huh http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/#comment-5377 Huh Wed, 21 Oct 2009 04:43:08 +0000 http://rdist.root.org/?p=433#comment-5377 How can it be fatal to encrypt the same message (without padding) multiple times to the same recipient? Same message, same key, no padding == identical ciphertext, right? How can it be fatal to encrypt the same message (without padding) multiple times to the same recipient? Same message, same key, no padding == identical ciphertext, right?

]]> By: Dave http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/#comment-5368 Dave Sat, 10 Oct 2009 06:55:57 +0000 http://rdist.root.org/?p=433#comment-5368 Unfortunately in some cases the libraries need to support raw RSA for broken standards that require it. From memory the German HBCI (Home Banking Computer Interface), among other weirdness, uses unpadded RSA for example, so any crypto library that doesn't support this can't be used to implement the HBCI spec (amusing, you have to carefully check for DES weak keys before you use your unpadded RSA encryption on them :-). Having said that, saying that no *sane* implementation should be doing this is certainly valid. Unfortunately in some cases the libraries need to support raw RSA for broken standards that require it. From memory the German HBCI (Home Banking Computer Interface), among other weirdness, uses unpadded RSA for example, so any crypto library that doesn’t support this can’t be used to implement the HBCI spec (amusing, you have to carefully check for DES weak keys before you use your unpadded RSA encryption on them :-). Having said that, saying that no *sane* implementation should be doing this is certainly valid.

]]> By: kme http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/#comment-5354 kme Thu, 08 Oct 2009 03:05:57 +0000 http://rdist.root.org/?p=433#comment-5354 A good followup to this would be a list of the functions from the common crypto libraries that do bare RSA encryption or signing operations without applying padding (ie those that expect the caller to pad). "If you're calling one of these functions in your code, and you don't know what RSA padding is, go get some expert help right now.". A good followup to this would be a list of the functions from the common crypto libraries that do bare RSA encryption or signing operations without applying padding (ie those that expect the caller to pad). “If you’re calling one of these functions in your code, and you don’t know what RSA padding is, go get some expert help right now.”.

]]> By: Nate Lawson http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/#comment-5352 Nate Lawson Wed, 07 Oct 2009 15:07:48 +0000 http://rdist.root.org/?p=433#comment-5352 Joe, you are correct. I've edited the post for both your points. I couldn't think of a good name for the "nth root problem". I used your term "eth" since I didn't want to confuse the RSA parameters n and e. Also, I am using the term "field" a bit loosely in this post. Given that an attacker would have to be extremely unlucky to see a message not co-prime to the 6 non-trivial factors of A*B*C, they can treat it essentially as an integer root problem. Joe, you are correct. I’ve edited the post for both your points. I couldn’t think of a good name for the “nth root problem”. I used your term “eth” since I didn’t want to confuse the RSA parameters n and e.

Also, I am using the term “field” a bit loosely in this post. Given that an attacker would have to be extremely unlucky to see a message not co-prime to the 6 non-trivial factors of A*B*C, they can treat it essentially as an integer root problem.

]]>