moddedrsa

package
v0.0.0-...-5424261 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2018 License: CC0-1.0 Imports: 8 Imported by: 0

Documentation

Overview

Its purpose is to demonstrate that the current crypto/rsa library is at least partially vulnerable to Manger attacks, cf. J. Manger. A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. In J. Kilian, editor, Advances in Cryptology - CRYPTO 2001. (http://iacr.org/archive/crypto2001/21390229.pdf) ------------------ AnomalRoil 2016 >

Index

Constants

This section is empty.

Variables

View Source 
var ErrDecryption = errors.New("crypto/rsa: decryption error")

ErrDecryption represents a failure to decrypt a message. It is deliberately vague to avoid adaptive attacks.

View Source 
var ErrMessageTooLong = errors.New("crypto/rsa: message too long for RSA public key size")

ErrMessageTooLong is returned when attempting to encrypt a message which is too large for the size of the public key.

View Source 
var ErrVerification = errors.New("crypto/rsa: verification error")

ErrVerification represents a failure to verify a signature. It is deliberately vague to avoid adaptive attacks.

View Source 
var NumberOfZeros int

-----------------< AnomalRoil 2016 NumberOfZeros is where we cheat: the oracle is the call to our modifed version of LeftPad in the DecryptOAEP func which will populate this variable with the number of zeros it "LeftPadded".

Functions

func DecryptOAEP 

func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext []byte, label []byte) ([]byte, error)

OAEP is parameterised by a hash function that is used as a random oracle. Encryption and decryption of a given message must use the same hash function and sha256.New() is a reasonable choice.

The random parameter, if not nil, is used to blind the private-key operation and avoid timing side-channel attacks. Blinding is purely internal to this function – the random data need not match that used when encrypting.

The label parameter must match the value given when encrypting. See EncryptOAEP for details.

func EncryptOAEP 

func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, label []byte) ([]byte, error)

EncryptOAEP encrypts the given message with RSA-OAEP.

OAEP is parameterised by a hash function that is used as a random oracle. Encryption and decryption of a given message must use the same hash function and sha256.New() is a reasonable choice.

The random parameter is used as a source of entropy to ensure that encrypting the same message twice doesn't result in the same ciphertext.

The label parameter may contain arbitrary data that will not be encrypted, but which gives important context to the message. For example, if a given public key is used to decrypt two types of messages then distinct label values could be used to ensure that a ciphertext for one purpose cannot be used for another by an attacker. If not required it can be empty.

The message must be no longer than the length of the public modulus minus twice the hash length, minus a further 2.

func LeftPad 

func LeftPad(input []byte, size int) (out []byte)

LeftPad returns a new slice of length size. The contents of input are right aligned in the new slice.

func Mgf1XOR 

func Mgf1XOR(out []byte, hash hash.Hash, seed []byte)

Mgf1XOR XORs the bytes in out with a mask generated using the MGF1 function specified in PKCS#1 v2.1.

Types

type CRTValue 

type CRTValue struct {
	Exp   *big.Int // D mod (prime-1).
	Coeff *big.Int // R·Coeff ≡ 1 mod Prime.
	R     *big.Int // product of primes prior to this (inc p and q).
}

CRTValue contains the precomputed Chinese remainder theorem values.

type OAEPOptions 

type OAEPOptions struct {
	// Hash is the hash function that will be used when generating the mask.
	Hash crypto.Hash
	// Label is an arbitrary byte string that must be equal to the value
	// used when encrypting.
	Label []byte
}

OAEPOptions is an interface for passing options to OAEP decryption using the crypto.Decrypter interface.

type PrecomputedValues 

type PrecomputedValues struct {
	Dp, Dq *big.Int // D mod (P-1) (or mod Q-1)
	Qinv   *big.Int // Q^-1 mod P

	// CRTValues is used for the 3rd and subsequent primes. Due to a
	// historical accident, the CRT for the first two primes is handled
	// differently in PKCS#1 and interoperability is sufficiently
	// important that we mirror this.
	CRTValues []CRTValue
}

type PrivateKey 

type PrivateKey struct {
	PublicKey            // public part.
	D         *big.Int   // private exponent
	Primes    []*big.Int // prime factors of N, has >= 2 elements.

	// Precomputed contains precomputed values that speed up private
	// operations, if available.
	Precomputed PrecomputedValues
}

A PrivateKey represents an RSA key

func (*PrivateKey) Precompute 

func (priv *PrivateKey) Precompute()

Precompute performs some calculations that speed up private key operations in the future.

func (*PrivateKey) Public 

func (priv *PrivateKey) Public() crypto.PublicKey

Public returns the public key corresponding to priv.

func (*PrivateKey) Validate 

func (priv *PrivateKey) Validate() error

Validate performs basic sanity checks on the key. It returns nil if the key is valid, or else an error describing a problem.

type PublicKey 

type PublicKey struct {
	N *big.Int // modulus
	E int      // public exponent
}

A PublicKey represents the public part of an RSA key.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.