Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference Between RSA-OAEP and RSA-PKCS1.5 [closed]

What is the different between RSA-OAEP and RSA-PKCS1.5? My understanding is they are both RSA encryption, but using different padding schemes. What is the advantage of one over the other? If I generate a RSA 2048 pirate and public key pair, can I use the same key pair to encrypt and decrypt a message that is OAEP padded vs PKCS1.5 padded?

like image 729
Nixy Avatar asked Jun 28 '18 00:06

Nixy


2 Answers

At least one more comprehensive, but tries to be simple, answer can be found at What is RSA OAEP & RSA PSS in simple terms (InfoSec.SE)

You asked What is the advantage of one over the other?, from the InfoSec.SE answer:

What went wrong this time?

It turns out that wrong answers can "decrypt successfully". Any message C is valid against any 4096-bit key k with odds

1/256 * 1/256 * (255/256)^8 * (1 - (255/256)^502)

("first byte is a zero", "second byte is a 2", "no zeros appear within 8 bytes", "a zero appears eventually")

0.004 * 0.004 * 0.996^8 * (1 - 0.996^502)
0.004 * 0.004 * 0.969 * (1 - 0.140)
0.004 * 0.004 * 0.969 * 0.860
1.27e-5

So approximately 1 in every 78 thousand messages is "valid", but wrong. This can confuse Bob and make him say silly things in response. If Eve (who has more free time than Mallory) wants to she can now start sending Bob clever gibberish and observe when he says he's confused, eventually Eve can figure out what the original message was. (Bleichenbacher attack (Crypto.SE))

You also asked can I use the same key pair to encrypt and decrypt a message that is OAEP padded vs PKCS1.5 padded?

If you mean "will software let me?" the answer is yes. If you mean "is it a good idea?", well, in FIPS 186-4, section 5.1, the US government requirement is

An RSA key pair used for digital signatures shall only be used for one digital signature scheme (e.g., ANS X9.31, RSASSA-PKCS1 v1.5 or RSASSA-PSS; see Sections 5.4 and 5.5). In addition, an RSA digital signature key pair shall not be used for other purposes (e.g., key establishment).

So the authors of that document, at least, would recommend NOT using the same key for OAEP and PKCS1.5

This is further disrecommended by IETF RFC 8017 section 6:

A generally good cryptographic practice is to employ a given RSA key pair in only one scheme. This avoids the risk that vulnerability in one scheme may compromise the security of the other and may be essential to maintain provable security. [...]

To illustrate the risks related to the employment of an RSA key pair in more than one scheme, suppose an RSA key pair is employed in both RSAES-OAEP (Section 7.1) and RSAES-PKCS1-v1_5. Although RSAES-OAEP by itself would resist attack, an opponent might be able to exploit a weakness in the implementation of RSAES-PKCS1-v1_5 to recover messages encrypted with either scheme.

like image 98
bartonjs Avatar answered Nov 03 '22 02:11

bartonjs


PKCS#1 .... see https://www.rfc-editor.org/rfc/rfc3447#page-23

a really really short and simple breakdown of the difference:

PKCS1.5 or more formally EME-PKCS1-v1_5 defines a padding that is just appended to the Message M, mostly consisting of a message length dependant number of random bytes ...

means: if "MESSAGE" goes into PKCS1.5 you will get something like "MESSAGE#GARBAGE#"

Note: if some bits in the random part change, it does not really hurt the deciphering operation ... there are cryptographic reasons why this is BAD, but that goes way out of the scope of SO ... for that go to https://crypto.stackexchange.com/

OAEP: defines an all-or-nothing operation to produce a pseudo random Message M' from a Message M and a random number r

you need each end every bit of M' to recover r and decode M

EME-PKCS1-V1_5 should be seen as insecure and deprecated

like image 34
DarkSquirrel42 Avatar answered Nov 03 '22 01:11

DarkSquirrel42