21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

compute d. Without those two primes, it’s believed that the most practical way to<br />

decrypt messages is by factoring n to get p and q.<br />

RSA is mathematically simple and elegant. Unfortunately, a straightforward implementation<br />

of RSA based directly on the math will usually fall prey to a number of<br />

attacks. RSA itself is secure, but only if it is deployed correctly, and that can be quite<br />

a challenge. Therefore, if you’re going to use RSA (and not something high-level), we<br />

strongly recommend sticking to preexisting standards. In particular, you should use<br />

a preexisting API or, at the very worst, follow PKCS#1 recommendations for deployment.<br />

It’s important to note that using RSA properly is predicated on your<br />

having received a known-to-be-valid public key over a secure channel<br />

(otherwise, man-in-the-middle attacks are possible; see Recipe 7.1 for<br />

a discussion of this problem). Generally, secure public key distribution<br />

is done with a PKI (see Recipe 10.1 for an introduction to PKI).<br />

From the average API’s point of view, RSA encryption is similar to standard symmetric<br />

encryption, except that there are practical limitations imposed on RSA mainly due<br />

to the fact that RSA is brutally slow compared to symmetric encryption. As a result,<br />

many libraries have two APIs for RSA encryption: one performs “raw” RSA encryption,<br />

and the other uses RSA to encrypt a temporary key, then uses that temporary<br />

key to encrypt the data you actually wanted to encrypt. Such an interface is sometimes<br />

called an enveloping interface.<br />

As with symmetric encryption, you need to pass in relevant key material, the input<br />

buffer, and the output buffer. There will be a length associated with the input buffer,<br />

but you are probably expected to know the size of the output in advance. With<br />

OpenSSL, if you have a pointer to an RSA object x, you can call RSA_size(x) to determine<br />

the output size of an RSA encryption, measured in bytes.<br />

When performing raw RSA encryption, you should expect there to be a small maximum<br />

message length. Generally, the maximum message length is dependent on the<br />

type of padding that you’re using.<br />

While RSA is believed to be secure if used properly, it is very easy not<br />

to use properly. Secure padding schemes are an incredibly important<br />

part of securely deploying RSA. Note that there’s no good reason to<br />

invent your own padding format (you strongly risk messing something<br />

up, too). Instead, we recommend EME-OAEP padding (specified<br />

in PKCS #1 v2.0 or later).<br />

There are primarily two types of padding: PKCS #1 v1.5 padding and EME-OAEP<br />

padding. The latter is specified in Version 2.0 and later of PKCS #1, and is recommended<br />

for all new applications. Use PKCS #1 v1.5 padding only for legacy systems.<br />

Do not mix padding types in a single application.<br />

Performing Raw Encryption with an RSA Public Key | 333<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!