[openssl-users] Can RSA_private_decrypt succeed with the wrong padding?

Perrow, Graeme graeme.perrow at sap.com
Wed Apr 29 17:57:57 UTC 2015

Excellent, this is exactly the kind of information I was looking for.

Thanks very much Viktor for your help

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Wednesday, April 29, 2015 1:34 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Can RSA_private_decrypt succeed with the wrong padding?

On Wed, Apr 29, 2015 at 03:42:40PM +0000, Perrow, Graeme wrote:

> Apologies for the top-post; Outlook makes it hard to do anything else.
> Here is a small C++ reproducible. I am generating a key pair, encrypting
> a small string using OAEP and decrypting using PKCS1 and expecting the
> decryption to fail.
> If I run this (on 64-bit Red Hat 6) repeatedly, the program will eventually
> fail because RSA_private_decrypt doesn't fail. I can run it hundreds of
> times successfully before it fails. I have also seen it fail on Windows
> 7.

Originally, you said the decryption used "RSA_NO_PADDING", the code below
decrypts with "RSA_PKCS1_PADDING".

>     int output_pad = RSA_PKCS1_PADDING;
>     memset( decrypted, 0, sizeof(decrypted) );
>     size_t dec_len = RSA_private_decrypt( (int)enc_len, encrypted, decrypted,
> 					  rsa_key, output_pad );

If you generate enough OAEP samples, some of them will look like
PKCS1 padding.  Padding is *NOT* integrity protection.



an input block that resembles PKCS1 padding for encryption with a
public key looks like:

	00 02 <pseudo-random-non-zero>* 00 <data>

So, all you need is for the first two octets to be "00 02" (a 00
has an ~40% chance to follow somewhere in a sample of ~126 random
octets).  So this will happen from time to time (somewhat south of
once every 64k tries).  Encryption and decryption alone do not
provide integrity protection.

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list