Which version of PKCS#1 does OpenSSL use? v1 had a problem in its (lack of) padding that would allow private key leakage, at least according to Wikipedia:
In 1998, Daniel Bleichenbacher described the first practical adaptive chosen ciphertext attack, against RSA-encrypted messages using the PKCS #1 v1 padding scheme (a padding scheme randomizes and adds structure to an RSA-encrypted message, so it is possible to determine whether a decrypted message is valid.) Due to flaws with the PKCS #1 scheme, Bleichenbacher was able to mount a practical attack against RSA implementations of the Secure Socket Layer protocol, and to recover session keys. As a result of this work, cryptographers now recommend the use of provably secure padding schemes such as Optimal Asymmetric Encryption Padding, and RSA Laboratories has released new versions of PKCS #1 that are not vulnerable to these attacks. (Wikipedia article RSA, heading 4.5 (Adaptive Chosen Ciphertext Attacks), accessed 2006Feb23) -Kyle H On 2/23/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: > On Wed, Feb 22, 2006, Kyle Hamilton wrote: > > > > > * Dr. Henson: When OpenSSL encrypts the private key, does it encrypt > > the public key and exponent as well, or just the private part of the > > key? if it encrypts the pubkey and exp as well, is this to verify the > > proper private key when it's loaded? > > > > It encrypts a PKCS#1 RSAPrivateKeyInfo structure in all the existing encrypted > private key formats. That includes all components including n,e. > > > Chris, the short answer is: no, RSA decryption does not require the > > public exponent. However, there's a couple of caveats that apply with > > OpenSSL due to design decisions. > > > > One of those design decisions is protection against error either due to a > hardware glitch or some obscure boundary case bug in the bignum code. > > If such an error occurred and a bad private key operation data was output in > some cases it would leak data which could be used to reconstruct the private > key. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
