More secure defaults for openssl_public_encrypt() & openssl_private_decrypt()

8 years ago by Sammy Kaye Powers — view source

unread

Hey internals!

As pointed out in Paragon's excellent blog post,
openssl_public_encrypt() & openssl_private_decrypt() defaults to the
insecure OPENSSL_PKCS1_PADDING constant.

https://paragonie.com/blog/2016/12/everything-you-know-about-public-key-encryption-in-php-is-wrong#php-openssl-rsa-bad-default

What are your thoughts about deprecating OPENSSL_PKCS1_PADDING and
using OPENSSL_PKCS1_OAEP_PADDING as the new default?

Thanks,
Sammy Kaye Powers
sammyk.me

8 years ago by Scott Arciszewski — view source

unread

Hey internals!

As pointed out in Paragon's excellent blog post,
openssl_public_encrypt() & openssl_private_decrypt() defaults to the
insecure OPENSSL_PKCS1_PADDING constant.

https://paragonie.com/blog/2016/12/everything-you-know-about-public-key-encryption-in-php-is-wrong#php-openssl-rsa-bad-default

What are your thoughts about deprecating OPENSSL_PKCS1_PADDING and
using OPENSSL_PKCS1_OAEP_PADDING as the new default?

Thanks,
Sammy Kaye Powers
sammyk.me

--

There was a little bit of discussion here previously.

http://externals.io/thread/442#email-12842

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com

8 years ago by Andreas Heigl — view source

unread

Am 12.12.16 um 16:26 schrieb Sammy Kaye Powers:

Hey internals!

As pointed out in Paragon's excellent blog post,
openssl_public_encrypt() & openssl_private_decrypt() defaults to the
insecure OPENSSL_PKCS1_PADDING constant.

https://paragonie.com/blog/2016/12/everything-you-know-about-public-key-encryption-in-php-is-wrong#php-openssl-rsa-bad-default

What are your thoughts about deprecating OPENSSL_PKCS1_PADDING and
using OPENSSL_PKCS1_OAEP_PADDING as the new default?

Is that backwards compatible? I'm thinking of decrypting data that was
encrypted with the "old" settings...

I just tested this:

&lt;?php
openssl_public_encrypt('Testdata', $crypted, $pubKey,

OPENSSL_PKCS1_OAEP_PADDING);
openssl_private_decrypt($crypted, $decrypt, $privateKey));
var_Dump($decrypt);
// NULL

while this works as expected:

&lt;?php
openssl_public_encrypt('Testdata', $crypted, $pubKey,

OPENSSL_PKCS1_OAEP_PADDING);
openssl_private_decrypt($crypted, $decrypt, $privateKey,
OPENSSL_PKCS1_OAEP_PADDING));
var_Dump($decrypt);
// string(8) "Testdata"

So it looks like you're out of luck with your already encrypted data
when the default-padding is changed. And I suppose that those that used
the default aren't aware of that information being a vital part.

And on a first glance I couldn't find a way of retrieving the used
padding from the data. So there might be no way of retrieving that
information other than by guessing/decrypting using all possible
paddings until a valid value is returned...

Just my 0.02 €

Cheers

Andreas

--
,,,
(o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl |
| mailto:andreas@heigl.org N 50°22'59.5" E 08°23'58" |
| http://andreas.heigl.org http://hei.gl/wiFKy7 |
+---------------------------------------------------------------------+
| http://hei.gl/root-ca |
+---------------------------------------------------------------------+