[openssl-users] Can RSA_private_decrypt succeed with the wrong padding?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 29 17:34:23 UTC 2015

On Wed, Apr 29, 2015 at 03:42:40PM +0000, Perrow, Graeme wrote:

> Apologies for the top-post; Outlook makes it hard to do anything else.
> Here is a small C++ reproducible. I am generating a key pair, encrypting
> a small string using OAEP and decrypting using PKCS1 and expecting the
> decryption to fail.
> If I run this (on 64-bit Red Hat 6) repeatedly, the program will eventually
> fail because RSA_private_decrypt doesn't fail. I can run it hundreds of
> times successfully before it fails. I have also seen it fail on Windows
> 7.

Originally, you said the decryption used "RSA_NO_PADDING", the code below
decrypts with "RSA_PKCS1_PADDING".

>     int output_pad = RSA_PKCS1_PADDING;
>     memset( decrypted, 0, sizeof(decrypted) );
>     size_t dec_len = RSA_private_decrypt( (int)enc_len, encrypted, decrypted,
> 					  rsa_key, output_pad );

If you generate enough OAEP samples, some of them will look like
PKCS1 padding.  Padding is *NOT* integrity protection.



an input block that resembles PKCS1 padding for encryption with a
public key looks like:

	00 02 <pseudo-random-non-zero>* 00 <data>

So, all you need is for the first two octets to be "00 02" (a 00
has an ~40% chance to follow somewhere in a sample of ~126 random
octets).  So this will happen from time to time (somewhat south of
once every 64k tries).  Encryption and decryption alone do not
provide integrity protection.


More information about the openssl-users mailing list