[openssl-users] Can RSA_private_decrypt succeed with the wrong padding?
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Apr 29 17:34:23 UTC 2015
On Wed, Apr 29, 2015 at 03:42:40PM +0000, Perrow, Graeme wrote:
> Apologies for the top-post; Outlook makes it hard to do anything else.
>
> Here is a small C++ reproducible. I am generating a key pair, encrypting
> a small string using OAEP and decrypting using PKCS1 and expecting the
> decryption to fail.
>
> If I run this (on 64-bit Red Hat 6) repeatedly, the program will eventually
> fail because RSA_private_decrypt doesn't fail. I can run it hundreds of
> times successfully before it fails. I have also seen it fail on Windows
> 7.
Originally, you said the decryption used "RSA_NO_PADDING", the code below
decrypts with "RSA_PKCS1_PADDING".
> int output_pad = RSA_PKCS1_PADDING;
> memset( decrypted, 0, sizeof(decrypted) );
> size_t dec_len = RSA_private_decrypt( (int)enc_len, encrypted, decrypted,
> rsa_key, output_pad );
If you generate enough OAEP samples, some of them will look like
PKCS1 padding. Padding is *NOT* integrity protection.
Per:
https://tools.ietf.org/html/rfc2313#section-8.1
an input block that resembles PKCS1 padding for encryption with a
public key looks like:
00 02 <pseudo-random-non-zero>* 00 <data>
So, all you need is for the first two octets to be "00 02" (a 00
has an ~40% chance to follow somewhere in a sample of ~126 random
octets). So this will happen from time to time (somewhat south of
once every 64k tries). Encryption and decryption alone do not
provide integrity protection.
--
Viktor.
More information about the openssl-users
mailing list