[pycrypto] Bug in Crypto.PublicKey.RSA?
Bill Broadley
bill at broadley.org
Mon Sep 8 22:29:08 CST 2008
Dwayne C. Litzenberger wrote:
> On Mon, Sep 08, 2008 at 10:42:01AM -0400, Dwayne C. Litzenberger wrote:
>> On Sun, Sep 07, 2008 at 10:48:49PM -0700, Bill Broadley wrote:
>>> Shouldn't RSA.generate(keysize, rpool.get_bytes) generate a key that is
>>> keysize bits and that can encrypt that many bits?
>>
>> No. RSA with an N-bit modulus can only guarantee encryption of up to
>> N-1 bits.
>
> I should also add that you should not be encrypting user data directly
> using RSA. You _need_ padding like PKCS#1 if you want any security.
Hmm, I was not aware of padding issues. What is the attack? How much is the
ideal padding? Is the attack related to guessing the plain text based on the
file size? Is the padding supposed to be random extra bytes? Filled to some
boundary like the next 16 bytes? More? Does compressing the plain text help?
> There are a ton of attacks on direct RSA encryption.
I'm blissfully unaware, I'll do some digging around, but any recommendations
are welcome.
I'm basically trying to handle 2 encryption related problems:
#1 backing up files that are distributed to untrusted (as much as possible)
peers. Only the one encrypting should ever be able to decrypt the files.
I was planning on using RSA with a user selected key size. Possibilities
for implementations include Crypto.PublicKey.RSA, a wrapper around GPG,
and a wrapper/bindings for openssl.
#2 Securely communications between peers (of encrypted files). Possibly
with out of band communication of public keys (I.e. manual peer
introduction by the admin).
Ideally recovery of all backed up files could be managed with only a copy of
the the public/private keys.
> Like most of the things in PyCrypto, Crypto.PublicKey.RSA is a primitive
> that can be used to *build* a secure cryptosystem, but it doesn't
> provide any meaningful security by itself.
Sounds very reasonable. Thanks for the advice on the padding, I'll try to
track down the reasons why and what an ideal implementation would be.
More information about the pycrypto
mailing list