
RSA: Theory and Implementation - ingve
https://eli.thegreenplace.net/2019/rsa-theory-and-implementation/
======
tptacek
This is a fine article, but of course, you should never use RSA implemented
like this. In fact, the PKCS1v15 implementation here is itself vulnerable to a
textbook padding oracle attack (it errors out on busted padding). This is in
set #6 of the cryptopals challenges and is a pretty fun way to learn some
things about how RSA works.

A cool recent paper on automating not just this attack but all kinds of
"format oracle" attacks --- padding, headers, &c --- using SMT solvers:

[https://eprint.iacr.org/2019/958.pdf](https://eprint.iacr.org/2019/958.pdf)

~~~
michielderhaeg
RSA is just notoriously difficult to implement correctly, unless you're some
kind of crypto expert.
[https://www.youtube.com/watch?v=lElHzac8DDI](https://www.youtube.com/watch?v=lElHzac8DDI)

~~~
debatem1
All crypto is difficult to get right unless you're a crypto expert. RSA is not
unusual in this regard.

The thing that is unusual about RSA is how many people /kind of/ understand
it. Crypto people who dislike RSA say that this leads to a proliferation of
terrible RSA implementations, and that it is therefore more dangerous to use
than eg ECC. Crypto people who like RSA say that its relative accessibility
makes it a more popular target, and that in the absence of a catastrophic
break the more-studied cryptosystem should be assumed to be more secure.

Personally I've spent some time recently with badly implemented ECC, and I
don't think the mistakes being made there are fundamentally different from or
rarer than the mistakes you see in poorly implemented RSA.

~~~
nullc
> The thing that is unusual about RSA is how many people /kind of/ understand
> it.

I wouldn't say this is that unusual about RSA but your point is otherwise
good.

There are a lot of mechanistic "this is how you do ECC" writeups resulting in
a lot of people who think they understand it while having no real intuition
for it (and particular for the security considerations).

Over and over-again in cryptography the biggest danger is overconfidence. If
you aren't scared of vulnerabilities hiding behind every seemingly minor
decision, then you're in trouble.

Probably the worst "kind of understand it" I've seen in cryptography is shamir
secret sharing, RSA comes right behind that. The big difference between RSA
and ECC is that for a long time people were mystified by the group operations
while they felt they understood modular multiplication, but the rise in
mechanical group law tutorials has leveled the playing field a lot there.

~~~
debatem1
Interesting, do you mind if I ask what kind of environment you work in? Most
of the non-crypto people I know will mumble about primes and factors when
asked how public key crypto works, but maybe I'm just wildly out of date.

------
CasperDern
RSA is pretty easy to implement, but hard to get right, PKCS#1v1.5 can be
broken using padding attacks, and should not be used. OAEP is generally
recommended.

The entire RSA suite (keygen, encrypt/decrypt, padding) can be implemented in
about 300 loc[1]. Which is probably why there are so many of these
'walkthroughs'.

[1]: [https://github.com/i404788/tiny-rsa](https://github.com/i404788/tiny-
rsa)

~~~
tptacek
Very few systems in the real world implement OAEP, and even with OAEP you have
to watch out for Manger's padding oracle attack (susceptibility to which may
be commented out of the Javascript RSA you've posted here --- I'm like 50/50
on this because I've never taken the time to implement Manger because I've
never been professionally asked to look at an OAEP implementation because,
again, OAEP is pretty rare --- at this point, if you're designing a modern
system, you're not using RSA.)

