[openssl-users] Can RSA_private_decrypt succeed with the wrong padding?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 29 17:34:23 UTC 2015


On Wed, Apr 29, 2015 at 03:42:40PM +0000, Perrow, Graeme wrote:

> Apologies for the top-post; Outlook makes it hard to do anything else.
> 
> Here is a small C++ reproducible. I am generating a key pair, encrypting
> a small string using OAEP and decrypting using PKCS1 and expecting the
> decryption to fail.
> 
> If I run this (on 64-bit Red Hat 6) repeatedly, the program will eventually
> fail because RSA_private_decrypt doesn't fail. I can run it hundreds of
> times successfully before it fails. I have also seen it fail on Windows
> 7.

Originally, you said the decryption used "RSA_NO_PADDING", the code below
decrypts with "RSA_PKCS1_PADDING".

>     int output_pad = RSA_PKCS1_PADDING;
>     memset( decrypted, 0, sizeof(decrypted) );
>     size_t dec_len = RSA_private_decrypt( (int)enc_len, encrypted, decrypted,
> 					  rsa_key, output_pad );

If you generate enough OAEP samples, some of them will look like
PKCS1 padding.  Padding is *NOT* integrity protection.

Per:

    https://tools.ietf.org/html/rfc2313#section-8.1

an input block that resembles PKCS1 padding for encryption with a
public key looks like:

	00 02 <pseudo-random-non-zero>* 00 <data>

So, all you need is for the first two octets to be "00 02" (a 00
has an ~40% chance to follow somewhere in a sample of ~126 random
octets).  So this will happen from time to time (somewhat south of
once every 64k tries).  Encryption and decryption alone do not
provide integrity protection.

-- 
	Viktor.


More information about the openssl-users mailing list