This discussion is archived
4 Replies Latest reply: Nov 9, 2012 6:09 AM by 973297 RSS

RSA and PCKS1Padding

973297 Newbie
Currently Being Moderated
Hi,

I was advised by a security auditor couple of months ago, to use PKCS1Padding when using RSA.
So I did find RSA/ECB/PKCS1Padding but I quickly realized from browsing around that it was better to use RSA/ECB/OAEPWithSHA1AndMGF1Padding instead.
Do you guys confirm?

Further, I was reading that the ECB mode was very weak. I am not sure which one I could replace it with RSA and OAEPWithSHA1AndMGF1Padding.
Thank you,

Can you please advise,
Thank you.
Elextra--
  • 1. Re: RSA and PCKS1Padding
    sabre150 Expert
    Currently Being Moderated
    Could you cite the references that led you to conclude that you should use OAEPWithSHA1AndMGF1Padding rather than PKCS1Padding?

    When used with symmetric encryption such as AES, ECB block mode has security issues since it permits the splicing of ciphertext to create valid forged ciphertext. This is why one of the feedback block modes with a random IV is preferred for use with symmetric encryption since splicing becomes virtually impossible. The use of the random IV is important since it means that each time a cleartext is encrypted one almost certainly gets a different ciphertext which means an observer cannot tell that the same cleartext has been encrypted.

    When used with public key encryption such as RSA, ECB block mode in combination with PKCS1Padding does not have the security issues associated with ECB mode in symmetric encryption. The reason is that one normally only encrypts a single block of cleartext (so splicing is not applicable) and since PKCS1 padding uses random bytes for padding a given cleartext almost certainly encrypts to a different ciphertext each time.

    In your position, and I have been in your position, I would do exactly what the security auditor recommended and not deviate. The main reason is that if a security flaw is discovered in your system then you can argue that you are not a security expert and you followed exactly what the expert (the auditor) recommended. Of course you need to get the auditor to sign off on the design and implementation before it goes into production.
  • 2. Re: RSA and PCKS1Padding
    973297 Newbie
    Currently Being Moderated
    Hi,

    It's fairly clear. Thank you for your advice.

    Here is the reference regarding the OAEPWithSHA1AndMGF1Padding rather than PKCS1Padding:
    https://www.owasp.org/index.php/Digital_Signature_Implementation_in_Java

    What do you think about OAEPWithSHA1AndMGF1Padding vs. PKCS1Padding. Any insights?
    Thank you,
    Elextra --
  • 3. Re: RSA and PCKS1Padding
    sabre150 Expert
    Currently Being Moderated
    user5427172 wrote:
    Here is the reference regarding the OAEPWithSHA1AndMGF1Padding rather than PKCS1Padding:
    https://www.owasp.org/index.php/Digital_Signature_Implementation_in_Java

    What do you think about OAEPWithSHA1AndMGF1Padding vs. PKCS1Padding. Any insights?
    You seem to be more concerned with dealing with digital signatures of data than with encrypting data so I may have mislead you a little in my first response. When used in creating a digital signature, PKCS1 padding does not use random bytes for the padding; it uses fixed bytes. Since for signatures one is not trying to hide anything and one is trying to prove authenticity there is no need to try to hide the fact that two or more signatures relate to the same data. OAEPWithSHA1AndMGF1Padding always seems to have a random component.

    I'm quite uncomfortable with content of https://www.owasp.org/index.php/Digital_Signature_Implementation_in_Java since I do not have access to the cited references and it is very old (it seems to have been written when JDK1.4.2 was the norm). I would not use that document to try to support any attempt to change from using PKCS1 padding to OAEPWithSHA1AndMGF1Padding. Not being a security expert and never having been involved with OAEPWithSHA1AndMGF1Padding I can offer no insights into OAEPWithSHA1AndMGF1Padding vs. PKCS1Padding.

    Once again, my advice is to stick with what the security auditor advised.

    P.S. Please don't use the source code presented in that document without a complete overhaul of it's exception handling.
  • 4. Re: RSA and PCKS1Padding
    973297 Newbie
    Currently Being Moderated
    Actually, my bad. I was so worried about my problem at hand that I did not even notice that the link was about dig. signatures as opposed to data encryption.
    You read right the first time. It was about data encryption.

    As you suggested, I will stick with RSA/ECB/PCKS1Padding as advised by the auditor.
    Thanks for your help,

    Elextra--

    Edited by: user5427172 on Nov 9, 2012 6:09 AM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points