[pycrypto] Bug in Crypto.PublicKey.RSA?

Bill Broadley bill at broadley.org
Mon Sep 8 22:29:08 CST 2008

Dwayne C. Litzenberger wrote:
> On Mon, Sep 08, 2008 at 10:42:01AM -0400, Dwayne C. Litzenberger wrote:
>> On Sun, Sep 07, 2008 at 10:48:49PM -0700, Bill Broadley wrote:
>>> Shouldn't RSA.generate(keysize, rpool.get_bytes) generate a key that is
>>> keysize bits and that can encrypt that many bits?
>> No.  RSA with an N-bit modulus can only guarantee encryption of up to 
>> N-1 bits.
> I should also add that you should not be encrypting user data directly 
> using RSA.  You _need_ padding like PKCS#1 if you want any security.

Hmm, I was not aware of padding issues.  What is the attack?  How much is the 
ideal padding?  Is the attack related to guessing the plain text based on the 
file size?  Is the padding supposed to be random extra bytes?  Filled to some 
boundary like the next 16 bytes?  More?  Does compressing the plain text help?

> There are a ton of attacks on direct RSA encryption.

I'm blissfully unaware, I'll do some digging around, but any recommendations 
are welcome.

I'm basically trying to handle 2 encryption related problems:
#1 backing up files that are distributed to untrusted (as much as possible)
    peers.  Only the one encrypting should ever be able to decrypt the files.
    I was planning on using RSA with a user selected key size.  Possibilities
    for implementations include Crypto.PublicKey.RSA, a wrapper around GPG,
    and a wrapper/bindings for openssl.
#2 Securely communications between peers (of encrypted files).  Possibly
    with out of band communication of public keys (I.e. manual peer
    introduction by the admin).

Ideally recovery of all backed up files could be managed with only a copy of 
the the public/private keys.

> Like most of the things in PyCrypto, Crypto.PublicKey.RSA is a primitive 
> that can be used to *build* a secure cryptosystem, but it doesn't 
> provide any meaningful security by itself.

Sounds very reasonable.  Thanks for the advice on the padding, I'll try to 
track down the reasons why and what an ideal implementation would be.

More information about the pycrypto mailing list