21.03.2013 Views

Problem - Kevin Tafuro

Problem - Kevin Tafuro

Problem - Kevin Tafuro

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

The constants that may be used to specify the type of padding to use, as well as the<br />

prototype for RSA_public_encrypt( ), are defined in the header file openssl/rsa.h. The<br />

defined constants are:<br />

RSA_PKCS1_PADDING<br />

Padding mode specified in version 1.5 of PKCS #1. This mode is in wide use,<br />

but it should only be used for compatibility. Use the EME-OAEP padding<br />

method instead.<br />

RSA_PKCS1_OAEP_PADDING<br />

EME-OAEP padding as specified in PKCS #1 Version 2.0 and later. It is what<br />

you should use for new applications.<br />

RSA_SSLV23_PADDING<br />

The SSLand TLS protocols specify a slight variant of PKCS #1 v1.5 padding.<br />

This shouldn’t be used outside the context of the SSL or TLS protocols.<br />

RSA_NO_PADDING<br />

This mode disables padding. Do not use this mode unless you’re using it to<br />

implement a known-secure padding mode.<br />

When you’re encrypting with RSA, the message you’re actually trying to encrypt is<br />

represented as an integer. The binary string you pass in is converted to an integer for<br />

you, using the algorithm described in Recipe 7.8.<br />

You can encrypt only one integer at a time with most low-level interfaces, and the<br />

OpenSSLinterface is no exception. This is part of the reason there are limits to message<br />

size. In practice, you should never need a larger message size. Instead, RSA is<br />

usually used to encrypt a temporary key for a much faster encryption algorithm, or to<br />

encrypt some other small piece of data.<br />

If there are a small number of possible plaintext inputs to RSA encryption,<br />

the attacker can figure out which plaintext was used via a dictionary<br />

attack. Therefore, make sure that there are always a reasonable<br />

number of possible plaintexts and that all plaintexts are equally likely.<br />

Again, it is best to simply encrypt a 16-byte symmetric key.<br />

If you forego padding (which is insecure; we discuss it just to explain how RSA<br />

works), the number you encrypt must be a value between 0 and n - 1, where n is the<br />

public modulus (the public key). Also, the value must be represented in the minimum<br />

number of bytes it takes to represent n. We recommend that you not do this<br />

unless you absolutely understand the security issues involved. For example, if you’re<br />

using OpenSSL, the only reason you should ever consider implementing your own<br />

padding mechanism would be if you wanted to use EME-OAEP padding with a hash<br />

algorithm stronger than SHA1, such as SHA-256. See the PKCS #1 v2.1 document<br />

for a comprehensive implementation guide for EME-OAEP padding.<br />

Performing Raw Encryption with an RSA Public Key | 335<br />

This is the Title of the Book, eMatter Edition<br />

Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!