Welcome, Guest
Username: Password: Secret Key Remember me

TOPIC: Usage of RSA padding by Encryption Configuration

Re: Usage of RSA padding by Encryption Configuration 11 Dec 2012 23:46 #2097

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
OK.
I have added padding. Check latest version.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.
The following user(s) said Thank You: Joe

Re: Usage of RSA padding by Encryption Configuration 29 Jul 2013 02:20 #2609

  • Joe
  • Joe's Avatar
  • Offline
  • Junior Member
  • Posts: 23
  • Thank you received: 1
Hi Ratmil,

Just some post-implementation feedback:
1) There seems to be a discrepancy between the extension description on extensions.joomla.org and your website. The former states that "It is *necessary* to have the bcmath extension", while the latter says "It is *recommended* to have the bcmath extension installed, otherwise DES algorithm is used.". One of the statements seems to be incorrect. :) (I.e. is it a requirement to have bcmath or would it also work without?)

Actually, looking at the code in BigInteger.php, line 272 and later, the code automatically determines if "gmp", "bcmath" is available or internal mode (pure PHP RSA implementation) should be used, and uses the available. Which makes both above description statements incorrect, because (a) "bcmath" is not required as there are also "gmp" or at least the "internal mode" and (b) there is no fallback to DES.


2) Does that call for a code clean-up? E.g., searching for "bcmath" (non case sensitive) in the code reveales plenty of "if(!extension_loaded('bcmath'))" checks and related error messages. But according to BigInteger.php above, it would also work with "gmp" or the internal pure PHP implementation (possibly just slower and with a higher bug risk, but not higher than with the also internal DES implementation in old extension versions).


3) Does the (much less secure) legacy DES handling need to be removed from the extension code? E.g. searching for the "des" string reveals its handling in the extension code itself (I don't mean the libraries in \extensions\encrypt\), e.g. in:
"admin.encrypt_configuration.html.php",
"admin.encrypt_configuration.php",
"install.encrypt_configuration.php"
"en-GB.com_encrypt_configuration.ini"
"es-ES.com_encrypt_configuration.ini"


Thank you again for this great extension!

P.S.: As I mentioned before, but just to have it all in one place, it looks like this year's update of the jsbn libs is out ( www-cs-students.stanford.edu/~tjw/jsbn/ ) :)

P.P.S.: Please also check your private messages.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 29 Jul 2013 20:26 #2612

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
Hi, Joe.
Everything you are saying is true.
1) You are right. The encryption libraries do not necessarily require bcmath, because it uses other options. However the plugin does nothing if bcmath is not installed.
2) Same answer as 1
3) DES is not used anymore. Removal of DES code would be nice.

I will find a chance to update the component and include the new release of the jsbn libraries.

Thanks.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.
The following user(s) said Thank You: Joe

Re: Usage of RSA padding by Encryption Configuration 10 Sep 2013 06:45 #2708

  • Joe
  • Joe's Avatar
  • Offline
  • Junior Member
  • Posts: 23
  • Thank you received: 1
Hi Ratmil,

thanks for your response. No rush, it works as is.

I just came across one more thing, possibly:

4) Testing of prime numbers and generated keys:

a) I searched for the string "test" in the entire extension code and it seems that the prime number test is already implemented in isPrime() in \extensions\encrypt\Math\BigInteger.php. I don't know, but just as a hint for you: could it be that isPrime(), millerTest() and possibly more (functions that they are calling) can be removed from \rsa.php now?

b) Other things which come up when searching for the "test" string are related to the test of generated RSA keys. Is that test still functional or does it need to be removed?

Thanks in advance!
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 10 Sep 2013 18:12 #2709

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
Hi, Joe.
How are you doing?
I haven't checked but as I remember you are probably right.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.
Time to create page: 0.230 seconds
Powered by Kunena Forum