All geek questions in one place

What add-on is used by javax.crypto.Cipher for RSA

I need to decrypt messages through RSA to send them over an unsecured channel, but I'm afraid of Padding Oracle Attack , so I already asked the following questions:

As in the first question,

However, since you use a high-level cryptographic library, you have nothing to worry about. The writers of this library should have taken care of this.

I should not think about it. As far as I know, the implementation of RSA PKCS#1 v1.5 is vulnerable to Padding Oracale Attack , as a result of which OAEP is not considered (it is assumed that it is implemented correctly)

Therefore, I want to know which add-on implementation is used by javax.crypt.Cipher for Java 7

+3
source share
2 answers

It depends on the selected or standard provider, which is actually populated when you create the Cipher instance without its full qualification:

 Cipher.getInstance("RSA")

This is bad practice because if you switch Java implementations, there may be different default values ​​and you will suddenly not be compatible with old ciphertexts. Always fully qualify the cipher.

As I said, by default it is likely (there are many providers, you can’t be sure) that this is PKCS # 1 v1.5. If you need something else, you must specify it. If you want to use OAEP, here is the full encryption line from here :

 Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
+6
source

This is not good advice given in the first link to the cryptography site . You should never rely on the default cryptographic library cryptographic algorithms. There are many reasons for this:

  • Different implementations, different default values ​​(for cryptography providers there are no default requirements, although most copies the default values ​​for Oracle / Sun);
  • Currently, security cannot be considered safe tomorrow, and because for backward compatibility you can never change the default value,
  • It's unclear if anyone is reading your software what the default is (you can document it, but in this case you can also write it down).

SunJCEProvider provided by Oracle by default for populating PKCS # 1 ( "PKCS1Padding" ) for historical reasons (see reason # 2 above). This is poorly documented.

At the time the default was set, you basically had only an unsafe RSA tutorial ( "NoPadding" ) and PKCS # 1 v1.5 ( "PKCS1Padding" or RSAES-PKCS1-v1_5 in the PKCS # 1 v2 standard. 1 ). RSAES-PKCS1-v1_5 was definitely a safer choice at the time. Changing the default value for OAEP will now break each RSA implementation where the default value is used.

The otus tip (in the first link in this answer) is better suited for implementing protocols in libraries than for cryptographic algorithms. In the end, you should be able to protect the security of your choices, no matter what you choose.

+6
source

Source: https://habr.com/ru/post/1263682/

More articles:


All Articles