RSA icon indicating copy to clipboard operation
RSA copied to clipboard
verified publisher icon RustCrypto

Can support no_padding encryption ?

Open ci-yuan opened this issue 4 years ago • 8 comments

I hope that I can encrypt words with public key, but I find there isnt the scheme of no_padding.

ci-yuan avatar Jul 20 '21 11:07 ci-yuan

could you describe what you want to do in more detail, I am afraid I don’t understand what you are looking for.

dignifiedquire avatar Jul 20 '21 12:07 dignifiedquire

Unless used for very specific purposes, unpadded RSA is dangerously brittle.

For example, with a low entropy plaintext, an attacker can perform brute force encryptions until they arrive at a matching ciphertext, at which point they've recovered the plaintext.

tarcieri avatar Jul 20 '21 13:07 tarcieri

Unless used for very specific purposes, unpadded RSA is dangerously brittle.

For example, with a low entropy plaintext, an attacker can perform brute force encryptions until they arrive at a matching ciphertext, at which point they've recovered the plaintext.

Yes,I agree with what your said. Indeed I use it for specific purpose. Now I am simulating a user logging of a website by reqwest. And the author of the website uses unpadded RSA. Here is the encrypted code of the website. 2021-07-21 130948

ci-yuan avatar Jul 21 '21 05:07 ci-yuan

If I'm reading that correctly, it looks like it's vulnerable to exactly the sort of attack I'm describing where an attacker can brute force ciphertexts until they find one that matches.

tarcieri avatar Jul 21 '21 14:07 tarcieri

If I'm reading that correctly, it looks like it's vulnerable to exactly the sort of attack I'm describing where an attacker can brute force ciphertexts until they find one that matches.

I guess that it seems that the author of the website doesn't have enough safety awareness, and the website only can be visited by vpn, so they may not pay much attention to it.

ci-yuan avatar Jul 21 '21 15:07 ci-yuan

I am not sure this is something I want to add to the library tbh. I am very sympathic to the challenge of matching others people code, even if it is insecure. I think the only way I would be okay with, would be an explicit feature like insecure-options or similar, which is turned off by default.

@tarcieri @str4d any thoughts?

dignifiedquire avatar Jul 26 '21 21:07 dignifiedquire

I think it would be best to avoid having an API like this. Unpadded RSA is a classical source of vulnerabilities.

tarcieri avatar Jul 26 '21 21:07 tarcieri

Thanks ! I have tried to implement it and it looks not difficult !

ci-yuan avatar Aug 02 '21 16:08 ci-yuan

Closing for now. We could potentially provide a "hazmat" API for unpadded RSA, but that should probably be motivated by a good use case

tarcieri avatar Apr 25 '23 03:04 tarcieri