| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Apr 2007 21:28:54 +0000 (UTC) From: daw@...berkeley.edu (David Wagner) To: linux-kernel@...r.kernel.org Subject: Re: [PATCH resend][CRYPTO]: RSA algorithm patch Indan Zupancic wrote: >On Thu, April 12, 2007 11:35, Satyam Sharma wrote: >> 1. First, sorry, I don't think an RSA implementation not conforming to >> PKCS #1 qualifies to be called RSA at all. That is definitely a *must* >> -- why break strong crypto algorithms such as RSA by implementing them >> in insecure ways? > >It's still RSA, that it's not enough to get a complete and secure crypto >system doesn't mean it isn't RSA anymore. Maybe you're right and having >RSA without the rest makes no sense. Yes, Satyam Sharma is 100% correct. Unpadded RSA makes no sense. RSA is not secure if you omit the padding. If you have a good reason why RSA needs to be in the kernel for security reasons, then the padding has to be in the kernel, too. Putting plain unpadded RSA in the kernel seems bogus. I worry about the quality of this patch if it is using unpadded RSA. This is pretty elementary stuff. No one should be implementing their own crypto code unless they have considerable competence and knowledge of cryptography. This elementary error leaves reason to be concerned about whether the developer of this patch has the skills that are needed to write this kind of code and get it right. People often take it personally when I tell them that they do are not competent to write their own crypto code, but this is not a personal attack. It takes very specialized knowledge and considerable study before one can write your own crypto implementation from scratch and have a good chance that the result will be secure. People without those skills shouldn't be writing their own crypto code, at least not if security is important, because it's too easy to get something wrong. (No, just reading Applied Cryptography is not good enough.) My experience is that code that contains elementary errors like this is also likely to contain more subtle errors that are harder to spot. In short, I'm not getting warm fuzzies here. And no, you can't just blithely push padding into user space and expect that to make the security issues go away. If you are putting the RSA exponentiation in the kernel because you don't trust user space, then you have to put the padding in the kernel, too, otherwise you're vulnerable to attack from evil user space code. It is also not true that padding schemes change all the time. They're fairly stable. Pick a reasonable modern padding scheme and leave it. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists