[openssl-users] Can RSA_private_decrypt succeed with the wrong padding?
graeme.perrow at sap.com
Wed Apr 29 17:57:57 UTC 2015
Excellent, this is exactly the kind of information I was looking for.
Thanks very much Viktor for your help
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Wednesday, April 29, 2015 1:34 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Can RSA_private_decrypt succeed with the wrong padding?
On Wed, Apr 29, 2015 at 03:42:40PM +0000, Perrow, Graeme wrote:
> Apologies for the top-post; Outlook makes it hard to do anything else.
> Here is a small C++ reproducible. I am generating a key pair, encrypting
> a small string using OAEP and decrypting using PKCS1 and expecting the
> decryption to fail.
> If I run this (on 64-bit Red Hat 6) repeatedly, the program will eventually
> fail because RSA_private_decrypt doesn't fail. I can run it hundreds of
> times successfully before it fails. I have also seen it fail on Windows
Originally, you said the decryption used "RSA_NO_PADDING", the code below
decrypts with "RSA_PKCS1_PADDING".
> int output_pad = RSA_PKCS1_PADDING;
> memset( decrypted, 0, sizeof(decrypted) );
> size_t dec_len = RSA_private_decrypt( (int)enc_len, encrypted, decrypted,
> rsa_key, output_pad );
If you generate enough OAEP samples, some of them will look like
PKCS1 padding. Padding is *NOT* integrity protection.
an input block that resembles PKCS1 padding for encryption with a
public key looks like:
00 02 <pseudo-random-non-zero>* 00 <data>
So, all you need is for the first two octets to be "00 02" (a 00
has an ~40% chance to follow somewhere in a sample of ~126 random
octets). So this will happen from time to time (somewhat south of
once every 64k tries). Encryption and decryption alone do not
provide integrity protection.
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users