Home | History | Annotate | Download | only in doc
      1 # RSA
      2 
      3 [TOC]
      4 
      5 ## RSA key generation
      6 
      7 **Default size:** If a library supports a key default size for RSA keys then
      8 this key size should be at least 2048 bits. This limit is based on the minimum
      9 recommendation of [NIST SP 800-57] part1 revision 4, Table 2, page 53. NIST
     10 recommends a minimal security strength of 112 bits for keys used until 2030. 112
     11 bit security strength translates to a minimal key size of 2048 bits. Other
     12 organizations recommend somewhat different sizes: [Enisa], Section 3.6 also
     13 suggests that 2048-bit RSA keys provide a security strength of about 112 bits,
     14 but recommends a security strength of 128 bits for near term systems, hence 3072
     15 bit RSA keys. [ECRYPT II], Section 13.3 suggests at least 2432 bits for new
     16 keys.
     17 
     18 All the references above clearly state that keys smaller than 2048 bits should
     19 only be used in legacy cases. Therefore, it seems wrong to use a default key
     20 size smaller than 2048 bits. If a user really wants a small RSA key then such a
     21 choice should be made by explicitly providing the desired key length during the
     22 initalization of a key pair generator.
     23 
     24 According to https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html
     25 every implementation of the Java platform is required to implement RSA with both
     26 1024 and 2048 bit key sizes. Hence a 2048 bit default should not lead to
     27 compatibility problems.
     28 
     29 **Cryptographically strong random numbers:**
     30 So far the tests check that java.util.Random is not used. This needs to be
     31 extended.
     32 
     33 **Other bugs:**
     34 The public exponent e should be larger than 1 [CVE-1999-1444]
     35 
     36 ## RSA PKCS #1 v1.5 encryption
     37 
     38 PKCS #1 v1.5 padding is susceptible to adaptive chosen ciphertext attacks and
     39 hence should be avoided [B98]. The difficulty of exploiting protocols using
     40 PKCS #1 v1.5 encryption often depends on the amount of information leaked after
     41 decrypting corrupt ciphertexts. Implementations frequently leak information
     42 about the decrypted plaintext in form of error messages. The content of the
     43 error messages are extremely helpful to potential attackers. Bardou et al.
     44 [BFKLSST12] analyze the difficult of attacks based on different types of
     45 information leakage. Smart even describes an attack that only needs about 40
     46 chosen ciphertexts [S10], though in this case the encryption did not use PKCS #1
     47 padding.
     48 
     49 **Bugs**
     50 
     51 * Bouncycastle throws detailed exceptions:
     52   InvalidCipherTextException("unknown block type") or
     53   InvalidCipherTextException("block padding incorrect").
     54 
     55 <!-- the SUN provider used to include that block type -->
     56 
     57 **Tests** To test whether an implementation leaks more information than
     58 necessary a test decrypts some random ciphertexts and catches the exceptions. If
     59 the exceptions are distinguishable then the test assumes that unnecessary
     60 information about the padding is leaked.
     61 
     62 Due to the nature of unit tests not every attack can be detected this way. Some
     63 attacks require a large number of ciphertexts to be detected if random
     64 ciphertexts are used. For example Klima et al. [KPR03] describe an
     65 implementation flaw that could not be detected with our test.
     66 
     67 Timing leakages because of differences in parsing the padding can leak
     68 information (e.g. CVE-2015-7827). Such differences are too small to be reliably
     69 detectable in unit tests.
     70 
     71 ## RSA OAEP
     72 
     73 Manger describes an chosen ciphertext attack against RSA in [M01]. There are
     74 implementations that were susceptible to Mangers attack, e.g. [CVE-2012-5081].
     75 
     76 ## RSA PKCS1 signatures
     77 **Potential problems:**
     78 
     79 *   Some libraries parse PKCS#1 padding during signature verification
     80     incorrectly.
     81 *   Some libraries determine the hash function from the signature (rather than
     82     encoding this in the key) Effect:
     83 *   If the verification is buggy then an attacker might be able to generate
     84     signatures for keys with a small (i.e. e=3) public exponent.
     85 *   If the hash algorithm is not determined by in an authentic manner then
     86     preimage attacks against weak hashes are possible, even if the hashes are
     87     not used by the signer.
     88 
     89 **Countermeasures:** A good way to implement RSA signature verification is
     90 described in the standard PKCS#1 v.2.2 Section 8.2.2. This standard proposes to
     91 reconstruct the padding during verification and compare the padded hash to the
     92 value $$s^e \bmod n$$ obtained from applying a public key exponentiation to the
     93 signature s. Since this is a recurring bug it makes also a lot of sense to avoid
     94 small public exponents and prefer for example e=65537 .
     95 
     96 **List of broken implementations**
     97 This is a large list.
     98 
     99 ## References
    100 
    101 \[B98]: D. Bleichenbacher, "Chosen ciphertext attacks against protocols based on
    102 the RSA encryption standard PKCS# 1" Crypto 98
    103 
    104 \[M01]: J. Manger, "A chosen ciphertext attack on RSA optimal asymmetric
    105 encryption padding (OAEP) as standardized in PKCS# 1 v2.0", Crypto 2001 This
    106 paper shows that OAEP is susceptible to a chosen ciphertext attack if error
    107 messages distinguish between different failure condidtions. [S10]: N. Smart,
    108 "Errors matter: Breaking RSA-based PIN encryption with thirty ciphertext
    109 validity queries" RSA conference, 2010 This paper shows that padding oracle
    110 attacks can be successful with even a small number of queries.
    111 
    112 \[KPR03]: V. Klima, O. Pokorny, and T. Rosa, "Attacking RSA-based Sessions in
    113 SSL/TLS" https://eprint.iacr.org/2003/052/
    114 
    115 \[BFKLSST12]: "Efficient padding oracle attacks on cryptographic hardware" R.
    116 Bardou, R. Focardi, Y. Kawamoto, L. Simionato, G. Steel, J.K. Tsay, Crypto 2012
    117 
    118 \[NIST SP 800-57]:
    119 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
    120 
    121 \[Enisa]: "Algorithms, key size and parameters report  2014"
    122 https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
    123 
    124 \[ECRYPT II]: Yearly Report on Algorithms and Keysizes (2011-2012),
    125 http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
    126 
    127 \[CVE-1999-1444]: Alibaba 2.0 generated RSA key pairs with an exponent 1
    128 
    129 \[CVE-2012-5081]: Java JSSE provider leaked information through exceptions and
    130 timing. Both the PKCS #1 padding and the OAEP padding were broken:
    131 http://www-brs.ub.ruhr-uni-bochum.de/netahtml/HSS/Diss/MeyerChristopher/diss.pdf
    132