Welcome, Guest
Username: Password: Secret Key Remember me

TOPIC: Usage of RSA padding by Encryption Configuration

Usage of RSA padding by Encryption Configuration 30 Jan 2012 17:54 #1278

  • Joe
  • Joe's Avatar
  • Offline
  • Junior Member
  • Posts: 23
  • Thank you received: 1
Hello!

I was wandering if the Joomla Encryption Configuration plugin (i.e. i guess its "encrypt.js" script) uses an RSA padding scheme as described in en.wikipedia.org/wiki/RSA_%28algorithm%29#Padding_schemes ?

Background of the question is the following scenario: The encrypted password can be intercepted by a third party "listening" to one's communication and then exposed to a "brute force" attack to extract the password. I do not mean a brute force attack against RSA, but one testing possible passwords, one by one. Because such an attack would be offline (using a previously intercepted encrypted text), it would be very fast (unlike an online attack against a website login form) and therefore require usage of a very long and strong passwords, similarly to other offline encryption cases, such as e.g. encryption of zip archives.

As I understand, it is not the job of the Encryption Configuration plugin to prevent an "MITM" (man-in-the-middle) attack, because an MITM can, by definition, replace the website RSA key with their own and thus intercept the key. Rather, the job of this plugin is prevention of retroactive password cracking by a passive (e.g. simply recording internet taffic) third-party, instead of an active MITM. Usage of the RSA padding would help greatly in such a case.

Thanks in advance!
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 30 Jan 2012 21:39 #1279

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
What you say is very interesting.
I don't see any solution for that than changing password regulary.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 01 Feb 2012 11:24 #1282

  • Joe
  • Joe's Avatar
  • Offline
  • Junior Member
  • Posts: 23
  • Thank you received: 1
Or another solution would be usage of the RSA padding, which makes the RSA far more secure.

So, the answer is: the Encryption Configuration component does not use the RSA padding, right? :)

Sorry that I wrote so much that it was easy to overlook the question.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 01 Feb 2012 20:59 #1284

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
I didn´t implement that javascript routine that does RSA encryption. That´s why I didn´t answer earlier. As for I remember it doesn´t. Now, I have added to my to do list change that code to use a secure padding.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 08 Nov 2012 23:34 #1978

  • Joe
  • Joe's Avatar
  • Offline
  • Junior Member
  • Posts: 23
  • Thank you received: 1
Hello Ratmil,

Thank you very much for the great plug-in! Has there been any progress on the padding?

Some research on implementation examples that seem to use the OAEP (padding):
- ats.oka.nu/titaniumcore/js/crypto/RSA.readme.txt (one can test its “sample2” - its output changes every time when “Padding (SOAEP)” is activated)
- bestmike007.com/2011/08/secure-data-tran...avascript-using-rsa/
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 09 Nov 2012 01:05 #1980

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
Hi, Joe.
Thanks a lot for your interest. To be honest I have not added the padding to the encryption. I will do it before this year ends.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.
Time to create page: 0.218 seconds
Powered by Kunena Forum