[pycrypto] Security of public_key.encrypt() and private_key.decrypt()

the2nd at otpme.org the2nd at otpme.org
Sat Oct 10 13:32:55 PDT 2015 

Hi,

I'm not sure if this is the right list to ask my question but i'll give 
it a try.

After reading the docs and doing some tests i found out that the 
encrypt()/decrypt() methods of the RSA key object exactly do what i need 
for OTPme (http://www.otpme.org).
My requirement is that the ciphertext for the same cleartext will always 
be the same. Thats not the case when using a scheme like PKCS1_OAEP and 
i guess that this behavior cannot be changed (probably for a good 
reason).

To be clear, i'm talking about this methods: 
https://www.dlitz.net/software/pycrypto/api/current/Crypto.PublicKey.RSA._RSAobj-class.html#encrypt

I guess the ciphertext generated by the methods above is vulnerable to 
brute force attacks. If i encrypt the string "hello world" with the 
public key and the resulting ciphertext is always the same its easy to 
brute force. But are there any other security implications when using 
this methods?

My use case is the following:
- The user logs in using the OTPme PAM module which sends a auth request 
the the OTPme server
- On success the server sends back a session password (32 char hex 
string)
- The client generates a RSA key pair
- The session password is added to the otpme-agent which keeps it in 
memory only
- The session password is encrypted with the RSA public key
- The encrypted session password along with the public key is saved to a 
file
- The private key is encrypted using AES with the users password (or 
some hardware token like the yubikey via HMAC challenge/response)
- The encrypted private key is saved to a file along with the offline 
token data
- From time to time the agent does a renegotiation with the server and 
gets a new session password
- The agent encrypts the old password with the public key from the 
session file and checks if the ciphertext matches the one from the 
session file
     - Thats the reason for my initial requirement. Without this check an 
attacker could create a fake session file with a public key he has the 
private key for...
- The agent encrypts the new session password with the public key from 
the session file and replaces the old encrypted session password with 
the new one

Thats the short version of what the OTPme client does. There are some 
more things because it supports offline logins etc. but this should not 
be important for my question.

So my final question is. Is it secure to save a 32 char hex string 
encrpyted with the public key encrypt() method?

There are some other things i am unsure about when it comes to AES 
encryption but thats for another mail....

regards
the2nd

More information about the pycrypto mailing list