|

Computer Security

»

Encryption and Cryptography

»

»

Padding mode for RSA_private_decrypt()...

View: New views

9 Messages — Rating Filter: Alert me

	Padding mode for RSA_private_decrypt()... by barcaroller :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message How can I tell what the padding mode was before I attempt to decrypt data. For example, when I use RSA_private_decrypt(encsize, encdata, decdata, privkey, RSA_PKCS1_PADDING) I sometimes (but not always) get the following error: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by Mounir IDRASSI :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, You simply can't guess the padding mode if you don't know it in advance. Imagine the security consequences if this was possible : it would mean that an attacker can have information about the clear text without having access to the private key!! Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr barcaroller wrote: > How can I tell what the padding mode was before I attempt to decrypt data. > For example, when I use > > RSA_private_decrypt(encsize, > encdata, > decdata, > privkey, > RSA_PKCS1_PADDING) > > > I sometimes (but not always) get the following error: > > error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is > not 02 > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@... > Automated List Manager majordomo@... > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by barcaroller :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message "Mounir IDRASSI" wrote in message ... > You simply can't guess the padding mode if you don't know it in advance. > Imagine the security consequences if this was possible : it would mean > that an attacker can have information about the clear text without having > access to the private key!! Okay, but the SSL client uses RSA_public_encrypt() with a padding value that is unknown to the SSL server, which uses RSA_private_decrypt() later on. How can the SSL server know in advance what padding mode the SSL client is going to use? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by Michael S. Zick-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun November 8 2009, barcaroller wrote: > > "Mounir IDRASSI" wrote in message ... > > > You simply can't guess the padding mode if you don't know it in advance. > > Imagine the security consequences if this was possible : it would mean > > that an attacker can have information about the clear text without having > > access to the private key!! > > Okay, but the SSL client uses RSA_public_encrypt() with a padding value that > is unknown to the SSL server, which uses RSA_private_decrypt() later on. > How can the SSL server know in advance what padding mode the SSL client is > going to use? > The padding is added to the plain text After decryption, the server can determine the padding present. Mike > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@... > Automated List Manager majordomo@... > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by Mounir IDRASSI :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, Which version of SSL/TLS are you talking about? To my knowledge, SSLV2, SSLV3 and TLS1.0 all use PKCS#1 Block Type 2 padding (in case of SSL V2 rollback, that last eight padding bytes are not random and are set to 0x03 but this special case is detect at the protocol level). Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr barcaroller wrote: > "Mounir IDRASSI" wrote in message ... > > >> You simply can't guess the padding mode if you don't know it in advance. >> Imagine the security consequences if this was possible : it would mean >> that an attacker can have information about the clear text without having >> access to the private key!! >> > > Okay, but the SSL client uses RSA_public_encrypt() with a padding value that > is unknown to the SSL server, which uses RSA_private_decrypt() later on. > How can the SSL server know in advance what padding mode the SSL client is > going to use? > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@... > Automated List Manager majordomo@... > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by barcaroller :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message "Mounir IDRASSI" wrote in message > To my knowledge, SSLV2, SSLV3 and TLS1.0 all use PKCS#1 Block Type 2 > padding. Are you sure about this? I'm writing a server and I occasionally get the error I reported; however, if what you are saying is true, the error may be indicative of another problem. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by barcaroller :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message "Michael S. Zick" wrote in message > The padding is added to the plain text > After decryption, the server can determine the padding present. I'm writing a server and I usually just call RSA_private_decrypt(..., RSA_PKCS1_PADDING). Everything works fine most of the time but sometimes I get that error. In your last sentence, did you mean that the server can determine the padding mode? If so, how? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by Dr. Stephen Henson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Nov 09, 2009, barcaroller wrote: > > "Mounir IDRASSI" wrote in message > > > To my knowledge, SSLV2, SSLV3 and TLS1.0 all use PKCS#1 Block Type 2 > > padding. > > Are you sure about this? I'm writing a server and I occasionally get the > error I reported; however, if what you are saying is true, the error may be > indicative of another problem. > Yes it is true. If the data is corrpupted somehow or if there is a bug in the RSA implementation (server or client) then you can get that error. You can get subtle errors which only show up occasionally. If you log the received data when you get that error you can check it with rsautl and the private key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...
	Re: Padding mode for RSA_private_decrypt()... by Mounir IDRASSI :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, Take a look at function get_client_master_key in the file s2_srv.c, and specifically at the line where a call to ssl_rsa_private_decrypt is made : in it, the decision to use RSA_PKCS1_PADDING or RSA_SSLV23_PADDING is made depending on the value of the member ssl2_rollback of the ssl2_state_st structure. This member is set in the function ssl23_get_client_hello in the file s23_srv, depending on the options of the SSL options. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr barcaroller wrote: > "Michael S. Zick" wrote in message > > >> The padding is added to the plain text >> After decryption, the server can determine the padding present. >> > > I'm writing a server and I usually just call RSA_private_decrypt(..., > RSA_PKCS1_PADDING). Everything works fine most of the time but sometimes I > get that error. In your last sentence, did you mean that the server can > determine the padding mode? If so, how? > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@... > Automated List Manager majordomo@... > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@... Automated List Manager majordomo@...