-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checks performed in check_public seem insufficient #99
Comments
no, this is likely a carry over from the fact thah originally it was not possible to specify a custom exponent. So this should be fixed |
In fact, the checks should be carried out in a couple of places. For instance, passing an even exponent to the function
I think this should be given some thought to make sure checks are in place where needed and not much duplicated code is introduced. Maybe one could also set a lower bound to the modulus size (e.g., 1024), and add to the checks. NIST SP 800-56B Revision 2 (section 6.4) may provide some guidance. If you give me some time to get familiarized with the code, I can propose some changes. |
We added an initial set of public key checks in #170 and #176. There currently aren't any such checks on private keys, beyond checking that there are at least two primes. Checks on both public and private keys could definitely be further improved. A minimum modulus size definitely seems like a good idea (with the ability to bypass it through an I think the private key APIs currently permit a number of potential misuses (see above-mentioned exponent-related DoS) which it would be good to mitigate. |
Thanks for your feedback @tarcieri. I'd be happy to know more about those exotic/legacy use cases. @dignifiedquire: Any pointer where this has been discussed or documented? |
The original reason why I wrote this implementation was to support https://github.com/rpgp/rpgp which is a full rust implementation of OpenPGP, which is used with a variety of existing keys out there in the wild. There is a set of keys in the tests there, but in general I have to follow roughly "if Gnupg accepts the key, I have to accept it" |
We can still make the default APIs misuse resistant, with See the existing |
Hi guys. I took a look at this issue in a bit more detail, and have a couple of considerations:
In light of this, a reasonable approach to satisfy all parties may be to
Then the checks simply ensure the least restrictive of these conditions. According to the above, I would suggest: For
I'm not sure why For At most, I would consider checking for primality of the primes. Everything else I can think of is already there. What do you think? |
I understand the desire to avoid the |
Understood. In that case, I guess we can leave the key bounds, the unchecked versions, etc., aside for now, and address the minimum requirements that originated this issue. That is, adding the following checks to
|
Adds the following checks: - `n` is odd - `e` is odd - `e` < `n` Closes #99
Adds the following checks: - `n` is odd - `e` is odd - `e` < `n` Closes #99
The
check_public
function nominally checks "that the public key is well formed and has an exponent within acceptable bounds."https://github.com/RustCrypto/RSA/blob/master/src/key.rs#L642
But it also accepts even exponents, as long as they are within the defined range.
And it does not perform any checks on the modulus, accepting values including zero, even numbers, or modulus smaller than the public exponent.
Is accepting such keys intentional?
The text was updated successfully, but these errors were encountered: