Re: RSA padding scheme
MFPA wrote: On Monday 23 January 2012 at 12:47:03 AM, in mid:20120123004703.GB10912 at crustytoothpaste.ath.cx, brian m. carlson wrote: This is not a problem with OpenPGP because the attacker never gets to see the value encrypted with RSA because it's the symmetric key. Isn't that the same thing as the session key, which can be viewed using --show-session-key? Yes, it is. However, decrypting a message does not automatically provide the session key to the user (outside of the internal functionality of the OpenPGP implementation). So what I'm saying is that even if you have an oracle that will decrypt messages on demand and provide them to the attacker, that doesn't mean that the oracle is going to provide the session key used to decrypt that message, which you need to conduct the attack. Also, please, please, please don't ever CC me. This resulted in a major delay as I deleted the message which I am now replying to and had to cobble it together based on the archive. Please respect my Mail-Followup-To and post replies only to the list. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Monday 23 January 2012 at 12:47:03 AM, in mid:20120123004703.gb10...@crustytoothpaste.ath.cx, brian m. carlson wrote: This is not a problem with OpenPGP because the attacker never gets to see the value encrypted with RSA because it's the symmetric key. Isn't that the same thing as the session key, which can be viewed using --show-session-key? - -- Best regards MFPAmailto:expires2...@rocketmail.com Always forgive your enemies; nothing annoys them so much -BEGIN PGP SIGNATURE- iQCVAwUBTyCMGqipC46tDG5pAQqJggQAgplRf8NRLM3jRY2i8U9ziL1yZ7e6U+mA fJG0r1wz6fSAzNCznHUBr5Sm/0oLRq5Z7tgV4eMmajZHSZkMW/uVgPtei7tgaiZQ ac7NljDO8Ok2xvX9uShp1/xLkWoqRNonovtwrTsfdlte1iljsOqxdbm82NZDkxgf JWhbkMpjcI8= =KF7z -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RSA padding scheme
Greetings everyone! As I understand, such asymmetric ciphers as RSA and/or ElGamal requires strong padding applied before message is encrypted. Message is of course the one-time session key, used to encipher the actual data. There are different versions of PKCS#1, NESSIE, OAEP and other schemes exist. How can I get which one is used? Trivial grep-ing through the 1.4.10 source code (which one I am using) does not help me much. Moreover I did not find the way padding can be changed/specified for example for RSA. I will be glad to understand what I am missing. -- Happy hacking, Sergey Matveev. [CYPHERPUNKS.RU][FSF][FSFE][EFF] fellow ..: ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
On Sun, Jan 22, 2012 at 07:48:28PM +0400, Sergey Matveev wrote: As I understand, such asymmetric ciphers as RSA and/or ElGamal requires strong padding applied before message is encrypted. Message is of course the one-time session key, used to encipher the actual data. To use them correctly and securely, yes. There are different versions of PKCS#1, NESSIE, OAEP and other schemes exist. How can I get which one is used? Trivial grep-ing through the 1.4.10 source code (which one I am using) does not help me much. GnuPG uses PKCS #1 v1.5. This is specified in RFC 4880. Moreover I did not find the way padding can be changed/specified for example for RSA. You cannot choose a different padding scheme and remain in compliance with the OpenPGP standard. I will be glad to understand what I am missing. If the standard allowed different padding schemes, then all implementations would have to support multiple padding schemes, which would be burdensome without providing significantly more security. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
- User brian m. carlson on 2012-01-22 18:54:22 wrote: GnuPG uses PKCS #1 v1.5. This is specified in RFC 4880. You cannot choose a different padding scheme and remain in compliance with the OpenPGP standard. Ah! I see. Thank you! Now I understand. If the standard allowed different padding schemes, then all implementations would have to support multiple padding schemes, which would be burdensome without providing significantly more security. Hmm, I see. However does it really won't provide much higher security? Just theoretically very interested in all of that. According to Wikipedia, there are several kind of attacks against plain RSA (just some of them): * sending ciphertext with the same e to several recipients * no randomness * problems with the product of two ciphertexts So, padding should close all of those problems. As I can see, PKCS #1 1.5 just adds random pad to satisfy length requirements. Is those randomness sufficient to solve above three issues? OAEP, comparing to PKCS #1 1.5, is much more mature and looks really cool with dependent on each other X and Y. If PKCS #1 1.5 is sufficient, then OAEP just brings all-or-nothing additionally? Or because of RSA's ciphertext payload is always pretty random data (symmetric keys), then (probably) bad padding won't deal any damage? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
On Sun, Jan 22, 2012 at 11:29:54PM +0400, Sergey Matveev wrote: If the standard allowed different padding schemes, then all implementations would have to support multiple padding schemes, which would be burdensome without providing significantly more security. Hmm, I see. However does it really won't provide much higher security? Just theoretically very interested in all of that. According to Wikipedia, there are several kind of attacks against plain RSA (just some of them): * sending ciphertext with the same e to several recipients This depends on a small message. All secure padding schemes avoid this problem because the pad the message so it is not small. * no randomness All secure padding schemes provide this, as well. * problems with the product of two ciphertexts This is not a problem with OpenPGP because the attacker never gets to see the value encrypted with RSA because it's the symmetric key. So, padding should close all of those problems. As I can see, PKCS #1 1.5 just adds random pad to satisfy length requirements. Is those randomness sufficient to solve above three issues? OAEP, comparing to PKCS #1 1.5, is much more mature and looks really cool with dependent on each other X and Y. The existence of PGP predates the invention of OAEP by at least three years. So it really wasn't an option, and PKCS #1 v1.5 is not insecure, so there's no reason to break backwards compatibility. If PKCS #1 1.5 is sufficient, then OAEP just brings all-or-nothing additionally? Or because of RSA's ciphertext payload is always pretty random data (symmetric keys), then (probably) bad padding won't deal any damage? Basically. The issue is that if the padding is incorrect, the message is rejected. So the attacker can't manipulate the message without risking corrupting the structure of the method. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: RSA padding scheme
- User brian m. carlson on 2012-01-23 00:47:03 wrote: * sending ciphertext with the same e to several recipients This depends on a small message. All secure padding schemes avoid this problem because the pad the message so it is not small. * no randomness All secure padding schemes provide this, as well. * problems with the product of two ciphertexts This is not a problem with OpenPGP because the attacker never gets to see the value encrypted with RSA because it's the symmetric key. Hmm, true. Seems really pretty secure in PGP context. The existence of PGP predates the invention of OAEP by at least three years. So it really wasn't an option, and PKCS #1 v1.5 is not insecure, so there's no reason to break backwards compatibility. Yeah, agreed. Basically. The issue is that if the padding is incorrect, the message is rejected. So the attacker can't manipulate the message without risking corrupting the structure of the method. I see. Well, thank you very much for the explanation and information! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
