21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

compute d. Without those two primes, it’s believed that the most practical way to<br />

decrypt messages is by factoring n to get p and q.<br />

RSA is mathematically simple and elegant. Unfortunately, a straightforward implementation<br />

of RSA based directly on the math will usually fall prey to a number of<br />

attacks. RSA itself is secure, but only if it is deployed correctly, and that can be quite<br />

a challenge. Therefore, if you’re going to use RSA (and not something high-level), we<br />

strongly recommend sticking to preexisting standards. In particular, you should use<br />

a preexisting API or, at the very worst, follow PKCS#1 recommendations for deployment.<br />

It’s important to note that using RSA properly is predicated on your<br />

having received a known-to-be-valid public key over a secure channel<br />

(otherwise, man-in-the-middle attacks are possible; see Recipe 7.1 for<br />

a discussion of this problem). Generally, secure public key distribution<br />

is done with a PKI (see Recipe 10.1 for an introduction to PKI).<br />

From the average API’s point of view, RSA encryption is similar to standard symmetric<br />

encryption, except that there are practical limitations imposed on RSA mainly due<br />

to the fact that RSA is brutally slow compared to symmetric encryption. As a result,<br />

many libraries have two APIs for RSA encryption: one performs “raw” RSA encryption,<br />

and the other uses RSA to encrypt a temporary key, then uses that temporary<br />

key to encrypt the data you actually wanted to encrypt. Such an interface is sometimes<br />

called an enveloping interface.<br />

As with symmetric encryption, you need to pass in relevant key material, the input<br />

buffer, and the output buffer. There will be a length associated with the input buffer,<br />

but you are probably expected to know the size of the output in advance. With<br />

OpenSSL, if you have a pointer to an RSA object x, you can call RSA_size(x) to determine<br />

the output size of an RSA encryption, measured in bytes.<br />

When performing raw RSA encryption, you should expect there to be a small maximum<br />

message length. Generally, the maximum message length is dependent on the<br />

type of padding that you’re using.<br />

While RSA is believed to be secure if used properly, it is very easy not<br />

to use properly. Secure padding schemes are an incredibly important<br />

part of securely deploying RSA. Note that there’s no good reason to<br />

invent your own padding format (you strongly risk messing something<br />

up, too). Instead, we recommend EME-OAEP padding (specified<br />

in PKCS #1 v2.0 or later).<br />

There are primarily two types of padding: PKCS #1 v1.5 padding and EME-OAEP<br />

padding. The latter is specified in Version 2.0 and later of PKCS #1, and is recommended<br />

for all new applications. Use PKCS #1 v1.5 padding only for legacy systems.<br />

Do not mix padding types in a single application.<br />

Performing Raw Encryption with an RSA Public Key | 333<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!