Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to get RSA private key knowing public key and set of "original data=>encrypted data" entries?

Tags:

security

rsa

I work on apllication which allows plugins to access different set of functionality, every plugin provides "initialization string" which sets level of access to different features. Developers send me this strings, and I encrypt them using my 1024 bit RSA private key and send encoded data back. When started, my application decodes encoded data(encoded initialisation string) using built-in public key and if "decoded data != initialization string" it fails to start.

So, is it possible to use a database of "initialization string" => "encoded initialization string"(extracted from other plugins) to crack my private key, or make it possible to bruteforce it in reasonable time?

like image 480
Riz Avatar asked Apr 17 '10 18:04

Riz


People also ask

Can we find private key from public key?

In most asymmetrical crypto system implementation, the only fact that is ensured is that you cannot find the private key from the public key.

Does RSA private key contain public key?

RSA private and public keys. An RSA key pair includes a private and a public key. The RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures. The RSA public key is also used for key encryption of DES or AES DATA keys and the RSA private key for key recovery.

Can public and private key be same in RSA?

Each RSA user has a key pair consisting of their public and private keys. As the name suggests, the private key must be kept secret. Public key encryption schemes differ from symmetric-key encryption, where both the encryption and decryption process use the same private key.


1 Answers

When you say that you "encrypt with a RSA private key" then you are not actually encrypting things. This is an historical bit of confusion. What you are doing is a digital signature which the plugin verifies with the corresponding public key. The confusion comes from the fact that, under an adequate light, RSA signatures can be seen as a kind of "reverse encryption" with the private key acting first. However, it differs in some details (e.g. padding, and involvement of a hash function) which make it quite different when it comes to implementation.

If you are using a proper RSA digital signature scheme (e.g. one of those described in PKCS#1, section 8 "signature schemes with appendix"), with an adequately large RSA key (1024 bits or more) generated through a correctly implemented key generation algorithm, then there is no known, computationally feasible way for an attacker to leverage the signatures you have produce in order to forge new signatures (and, a fortiori, crack the RSA private key). It is in no way proven that your signatures do not help the attacker, but 30 years of public research on the subject have not come up with such a breach.

Note, though, that usage details, in particular padding (the initial part, which transforms the to-be-signed data into a big number that the mathematical core of RSA can process) have been shown to be delicate; many proposed ways to do the padding have been successfully attacked. The PKCS#1 paddings have been under scrutiny for quite some time (two decades for the "v1.5" padding) and have resisted all such attempts so far. The "ISO 9796" family of paddings did not fare that well, many variants having been broken.

If you are not computing your signatures according to a well-established standard (i.e. PKCS#1), then you are looking for trouble. Do not do that. Fortunately, most RSA implementations (in cryptographic libraries and programming languages / environments) follow PKCS#1.

like image 154
Thomas Pornin Avatar answered Oct 11 '22 03:10

Thomas Pornin