PROBLEM WITH RSA ENCRYPTION

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

PROBLEM WITH RSA ENCRYPTION

Al Sutton
Hi,

I beleive there is a problem with the RSA encryption code in that it will
drop leading zero bytes from a byte array during decryption. I have written
the following test case which, when run under v1.29, shows that the
decrypted array is missing the first zero byte of the original byte array.
 
I would be grateful if anyone could either point to an error in my code, or
let me know if this is an issue with the JCE code.

Thanks,

Al.



byte[] testBytes =
{
0x00,0x73,0x66,0x25,(byte)0xec,0x37,0x61,0x2a,0x54,(byte)0xf2,(byte)0x81,0x1
b,(byte)0xd0,(byte)0xe1,0x41,0x7f };

KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024);
KeyPair keys = kpg.generateKeyPair();

PrivateKey privateKey = keys.getPrivate();
PublicKey publicKey = keys.getPublic();

// Encode the test data
Cipher cipher = Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
cipher.init(Cipher.ENCRYPT_MODE, privateKey);
byte[] encryptedData = cipher.doFinal(testBytes);

// Decode the test data
cipher = Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
cipher.init(Cipher.DECRYPT_MODE, publicKey);
byte[] decoded = cipher.doFinal(encryptedData);

// Test for differences
for( int i = 0 ; i < decoded.length ; i++ )
{
        if( decoded[i] != testBytes[i] )
        {
                System.out.println("Difference in position "+i+", expected
"+testBytes[i]+", got "+decoded[i] );
        }
}


Reply | Threaded
Open this post in threaded view
|

RE: PROBLEM WITH RSA ENCRYPTION

Al Sutton
I've just noticed the sections which refer to the original code base. In the
original code base

PasswordBase.V1_PASSWORD_ALGORITHM = "RSA"

Regards,

Al.

-----Original Message-----
From: Al Sutton [mailto:[hidden email]]
Sent: 29 June 2005 20:21
To: [hidden email]
Subject: [dev-crypto] PROBLEM WITH RSA ENCRYPTION


Hi,

I beleive there is a problem with the RSA encryption code in that it will
drop leading zero bytes from a byte array during decryption. I have written
the following test case which, when run under v1.29, shows that the
decrypted array is missing the first zero byte of the original byte array.
 
I would be grateful if anyone could either point to an error in my code, or
let me know if this is an issue with the JCE code.

Thanks,

Al.



byte[] testBytes =
{
0x00,0x73,0x66,0x25,(byte)0xec,0x37,0x61,0x2a,0x54,(byte)0xf2,(byte)0x81,0x1
b,(byte)0xd0,(byte)0xe1,0x41,0x7f };

KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(1024);
KeyPair keys = kpg.generateKeyPair();

PrivateKey privateKey = keys.getPrivate();
PublicKey publicKey = keys.getPublic();

// Encode the test data
Cipher cipher = Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
cipher.init(Cipher.ENCRYPT_MODE, privateKey);
byte[] encryptedData = cipher.doFinal(testBytes);

// Decode the test data
cipher = Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
cipher.init(Cipher.DECRYPT_MODE, publicKey);
byte[] decoded = cipher.doFinal(encryptedData);

// Test for differences
for( int i = 0 ; i < decoded.length ; i++ )
{
        if( decoded[i] != testBytes[i] )
        {
                System.out.println("Difference in position "+i+", expected
"+testBytes[i]+", got "+decoded[i] );
        }
}



Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH RSA ENCRYPTION

Ken Ballou
Change your algorithm to "RSA/PKCS1".  "RSA" is just RSA with no
padding.  Your byte is being converted to a "bignum", and the leading
zeros are insignificant.

                                        - Ken

Al Sutton wrote:

> I've just noticed the sections which refer to the original code base. In the
> original code base
>
> PasswordBase.V1_PASSWORD_ALGORITHM = "RSA"
>
> Regards,
>
> Al.
>
> -----Original Message-----
> From: Al Sutton [mailto:[hidden email]]
> Sent: 29 June 2005 20:21
> To: [hidden email]
> Subject: [dev-crypto] PROBLEM WITH RSA ENCRYPTION
>
>
> Hi,
>
> I beleive there is a problem with the RSA encryption code in that it will
> drop leading zero bytes from a byte array during decryption. I have written
> the following test case which, when run under v1.29, shows that the
> decrypted array is missing the first zero byte of the original byte array.
>  
> I would be grateful if anyone could either point to an error in my code, or
> let me know if this is an issue with the JCE code.
>
> Thanks,
>
> Al.
>
>
>
> byte[] testBytes =
> {
> 0x00,0x73,0x66,0x25,(byte)0xec,0x37,0x61,0x2a,0x54,(byte)0xf2,(byte)0x81,0x1
> b,(byte)0xd0,(byte)0xe1,0x41,0x7f };
>
> KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> kpg.initialize(1024);
> KeyPair keys = kpg.generateKeyPair();
>
> PrivateKey privateKey = keys.getPrivate();
> PublicKey publicKey = keys.getPublic();
>
> // Encode the test data
> Cipher cipher = Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
> cipher.init(Cipher.ENCRYPT_MODE, privateKey);
> byte[] encryptedData = cipher.doFinal(testBytes);
>
> // Decode the test data
> cipher = Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
> cipher.init(Cipher.DECRYPT_MODE, publicKey);
> byte[] decoded = cipher.doFinal(encryptedData);
>
> // Test for differences
> for( int i = 0 ; i < decoded.length ; i++ )
> {
> if( decoded[i] != testBytes[i] )
> {
> System.out.println("Difference in position "+i+", expected
> "+testBytes[i]+", got "+decoded[i] );
> }
> }
>
>
>

Reply | Threaded
Open this post in threaded view
|

RE: PROBLEM WITH RSA ENCRYPTION

Al Sutton
Doesn't this go against the JCE spec?

I was under the impression that encrypt and decrypt should be mirror images
of each other and therefore it should be possible to do "Original byte[] --
encrypt --> Cypher byte[] -- decrypt --> Original byte[]" with any Cipher.

Can you can point me at a spec where it says altering the original text
(specifically dropping leading bytes) during decryption is valid I'd be
grateful as it would help my understanding of the usage.

Thanks,

Al.

-----Original Message-----
From: Ken Ballou [mailto:[hidden email]]
Sent: 29 June 2005 20:39
To: [hidden email]
Subject: Re: [dev-crypto] PROBLEM WITH RSA ENCRYPTION


Change your algorithm to "RSA/PKCS1".  "RSA" is just RSA with no padding.
Your byte is being converted to a "bignum", and the leading zeros are
insignificant.

                                        - Ken

Al Sutton wrote:

> I've just noticed the sections which refer to the original code base.
> In the original code base
>
> PasswordBase.V1_PASSWORD_ALGORITHM = "RSA"
>
> Regards,
>
> Al.
>
> -----Original Message-----
> From: Al Sutton [mailto:[hidden email]]
> Sent: 29 June 2005 20:21
> To: [hidden email]
> Subject: [dev-crypto] PROBLEM WITH RSA ENCRYPTION
>
>
> Hi,
>
> I beleive there is a problem with the RSA encryption code in that it
> will drop leading zero bytes from a byte array during decryption. I
> have written the following test case which, when run under v1.29,
> shows that the decrypted array is missing the first zero byte of the
> original byte array.
>  
> I would be grateful if anyone could either point to an error in my
> code, or let me know if this is an issue with the JCE code.
>
> Thanks,
>
> Al.
>
>
>
> byte[] testBytes =
> {
>
0x00,0x73,0x66,0x25,(byte)0xec,0x37,0x61,0x2a,0x54,(byte)0xf2,(byte)0x81,0x1

> b,(byte)0xd0,(byte)0xe1,0x41,0x7f };
>
> KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
> kpg.initialize(1024);
> KeyPair keys = kpg.generateKeyPair();
>
> PrivateKey privateKey = keys.getPrivate();
> PublicKey publicKey = keys.getPublic();
>
> // Encode the test data
> Cipher cipher =
> Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
> cipher.init(Cipher.ENCRYPT_MODE, privateKey);
> byte[] encryptedData = cipher.doFinal(testBytes);
>
> // Decode the test data
> cipher = Cipher.getInstance(PasswordBase.V1_PASSWORD_ALGORITHM);
> cipher.init(Cipher.DECRYPT_MODE, publicKey);
> byte[] decoded = cipher.doFinal(encryptedData);
>
> // Test for differences
> for( int i = 0 ; i < decoded.length ; i++ )
> {
> if( decoded[i] != testBytes[i] )
> {
> System.out.println("Difference in position "+i+", expected
> "+testBytes[i]+", got "+decoded[i] );
> }
> }
>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: PROBLEM WITH RSA ENCRYPTION

Sidney Markowitz
Al Sutton wrote:
> Can you can point me at a spec where it says altering the original text
> (specifically dropping leading bytes) during decryption is valid I'd be
> grateful as it would help my understanding of the usage.

PKCS#1 v2.1 which is also RFC 3447 is the RSA spec. It defines the RSA
encrypt and decrypt operations as operating on large integers.

You can look up all the different versions of PKCS#1 on the RSA web site.
They all say the same thing in this regard.

As per the spec, the first step in encrypting or decrypting bytes using RSA
is making them into a large integer, which means that leading zeros are ignored.

In order to make it practical to encrypt and decrypt text with RSA, it is
necessary to always use a padding scheme. The padding schemes you can use
are also part of the spec. They are designed to prevent a number of possible
vulnerabilities that you can end up with if you used the RSA operation on
just any arbitrary numbers. They also ensure a leading non-zero byte which
prevents any leading zeros in the plaintext from being lost.

What it all comes down to is that RSA is not supposed to be used without an
approved padding scheme.

Also, the JCE spec says that the behaviour when you specify the encryption
algorithm but do not specify any padding is "provider dependent". Thus you
can get different results if you don't specify a padding depending on which
provider is loaded. So you should always specify a padding if just for that
reason.

 Sidney Markowitz
 http://www.sidney.com

Reply | Threaded
Open this post in threaded view
|

RE: PROBLEM WITH RSA ENCRYPTION

Al Sutton
Thanks for the explanation.

Al.

-----Original Message-----
From: Sidney Markowitz [mailto:[hidden email]]
Sent: 30 June 2005 10:46
To: Al Sutton
Cc: [hidden email]
Subject: Re: [dev-crypto] PROBLEM WITH RSA ENCRYPTION


Al Sutton wrote:
> Can you can point me at a spec where it says altering the original
> text (specifically dropping leading bytes) during decryption is valid
> I'd be grateful as it would help my understanding of the usage.

PKCS#1 v2.1 which is also RFC 3447 is the RSA spec. It defines the RSA
encrypt and decrypt operations as operating on large integers.

You can look up all the different versions of PKCS#1 on the RSA web site.
They all say the same thing in this regard.

As per the spec, the first step in encrypting or decrypting bytes using RSA
is making them into a large integer, which means that leading zeros are
ignored.

In order to make it practical to encrypt and decrypt text with RSA, it is
necessary to always use a padding scheme. The padding schemes you can use
are also part of the spec. They are designed to prevent a number of possible
vulnerabilities that you can end up with if you used the RSA operation on
just any arbitrary numbers. They also ensure a leading non-zero byte which
prevents any leading zeros in the plaintext from being lost.

What it all comes down to is that RSA is not supposed to be used without an
approved padding scheme.

Also, the JCE spec says that the behaviour when you specify the encryption
algorithm but do not specify any padding is "provider dependent". Thus you
can get different results if you don't specify a padding depending on which
provider is loaded. So you should always specify a padding if just for that
reason.

 Sidney Markowitz
 http://www.sidney.com