[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <evm8am$h12$2@taverner.cs.berkeley.edu>
Date: Thu, 12 Apr 2007 21:28:54 +0000 (UTC)
From: daw@...berkeley.edu (David Wagner)
To: linux-kernel@...r.kernel.org
Subject: Re: [PATCH resend][CRYPTO]: RSA algorithm patch
Indan Zupancic wrote:
>On Thu, April 12, 2007 11:35, Satyam Sharma wrote:
>> 1. First, sorry, I don't think an RSA implementation not conforming to
>> PKCS #1 qualifies to be called RSA at all. That is definitely a *must*
>> -- why break strong crypto algorithms such as RSA by implementing them
>> in insecure ways?
>
>It's still RSA, that it's not enough to get a complete and secure crypto
>system doesn't mean it isn't RSA anymore. Maybe you're right and having
>RSA without the rest makes no sense.
Yes, Satyam Sharma is 100% correct. Unpadded RSA makes no sense. RSA is
not secure if you omit the padding. If you have a good reason why RSA
needs to be in the kernel for security reasons, then the padding has to be
in the kernel, too. Putting plain unpadded RSA in the kernel seems bogus.
I worry about the quality of this patch if it is using unpadded RSA.
This is pretty elementary stuff. No one should be implementing their
own crypto code unless they have considerable competence and knowledge
of cryptography. This elementary error leaves reason to be concerned
about whether the developer of this patch has the skills that are needed
to write this kind of code and get it right.
People often take it personally when I tell them that they do are not
competent to write their own crypto code, but this is not a personal
attack. It takes very specialized knowledge and considerable study
before one can write your own crypto implementation from scratch and
have a good chance that the result will be secure. People without
those skills shouldn't be writing their own crypto code, at least not
if security is important, because it's too easy to get something wrong.
(No, just reading Applied Cryptography is not good enough.) My experience
is that code that contains elementary errors like this is also likely
to contain more subtle errors that are harder to spot. In short, I'm
not getting warm fuzzies here.
And no, you can't just blithely push padding into user space and expect
that to make the security issues go away. If you are putting the
RSA exponentiation in the kernel because you don't trust user space,
then you have to put the padding in the kernel, too, otherwise you're
vulnerable to attack from evil user space code.
It is also not true that padding schemes change all the time. They're
fairly stable. Pick a reasonable modern padding scheme and leave it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists