Geek Answers Handbook

Destruction of RSA / ECB / OAEPWITHSHA-256ANDMGF1PADDING

So Java has a mode called RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING . What does it mean?

RFC3447 , Public Key Cryptography Standards (PKCS) # 1: RSA Encryption Specifications Version 2.1, Section 7.1.2 The decryption operation says Hash and MGF are both options for RSAES-OAEP-DECRYPT. MGF is its own function, defined in section B.2.1 of MGF1, and which also has its own Hash option.

Perhaps the β€œHash” option in RSAES-OAEP-DECRYPT and MGF1 should be the same or maybe not, for me this is not clear. If they are then, I think when you have RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING , then sha256 should be used for both. But if they do not have to be the same, you can use sha256 for RSAES-OAEP-DECRYPT and, for example, sha1 used for MGF1. And if this is the case, then which sha256 function should be used? And what hash algorithm is supposed to be used for another function?

And what does ECB mean in this context? ECB is a symmetric block cipher mode. Electronic code book. Maybe this should mean that Java works with plain text, which is larger than modulo? How does it possibly split plaintext into chunks that are as large as modulo, and then encrypt each of them with RSA and combine them together? I just guess.

+15
source share
1 answer

By default, OAEP uses SHA-1 for MGF1. Please note that the selected hash does not have a big impact on OAEP security, so in most cases it will be left by default.

We can easily verify this by testing it with "OAEPPadding" and OAEPParameterSpec :

 // --- we need a key pair to test encryption/decryption KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(1024); // speedy generation, but not secure anymore KeyPair kp = kpg.generateKeyPair(); RSAPublicKey pubkey = (RSAPublicKey) kp.getPublic(); RSAPrivateKey privkey = (RSAPrivateKey) kp.getPrivate(); // --- encrypt given algorithm string Cipher oaepFromAlgo = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING"); oaepFromAlgo.init(Cipher.ENCRYPT_MODE, pubkey); byte[] ct = oaepFromAlgo.doFinal("owlstead".getBytes(StandardCharsets.UTF_8)); // --- decrypt given OAEPParameterSpec Cipher oaepFromInit = Cipher.getInstance("RSA/ECB/OAEPPadding"); OAEPParameterSpec oaepParams = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-1"), PSpecified.DEFAULT); oaepFromInit.init(Cipher.DECRYPT_MODE, privkey, oaepParams); byte[] pt = oaepFromInit.doFinal(ct); System.out.println(new String(pt, StandardCharsets.UTF_8));

The code will not be executed with a filling exception if you replace MGF1 as the "SHA-256" parameter.

The reason why an advanced algorithm is needed at all is because it is compatible with other Cipher algorithms. The code written, for example, for "RSA/ECB/PKCS1Padding" , does not use any parameters, not to mention the OAEP parameters. Thus, without a longer string, OAEP cannot function as a replacement.

The "ECB" mode of operation does not mean anything in this context; it should have been "None" or it should have been completely excluded. You can encrypt only one block using the RSRS implementation of the SunRSA provider.

If you want to encrypt more data, create a random (AES) symmetric key and encrypt it using OAEP. Then use the AES key to encrypt your specific data. This is called a hybrid cryptosystem, since both asymmetric and symmetric primitives are used to encrypt data.

Please note that OAEP is not supported in JDK 7 (1.7) or earlier. OAEP is included in the implementation requirements for Java runtimes starting with Java 8:

  • RSA/ECB/OAEPWithSHA-1AndMGF1Padding (1024, 2048)
  • RSA/ECB/OAEPWithSHA-256AndMGF1Padding (1024, 2048)
+28
source

More articles:


All Articles