Welcome, Guest
Username: Password: Secret Key Remember me

TOPIC: Usage of RSA padding by Encryption Configuration

Re: Usage of RSA padding by Encryption Configuration 10 Nov 2012 00:39 #1986

  • Joe
  • Joe's Avatar
  • Offline
  • Junior Member
  • Posts: 23
  • Thank you received: 1
Thank you very much!

Just a side note on the above “ats.oka.nu” example: The “output” generated by its demo seems to always begin with the letter “A” when no padding is activated. While when the padding is activated, the majority of the created “outputs” also begin with an “A”, while the length of the output changes slightly. See e.g. following demo (used on WinXP SP3, 32bit, Firefox 16.0.2): ats.oka.nu/titaniumcore/js/crypto/RSA.sa...Q0Dc&e=3&pa=1&dum=he

I don't know if that is right or wrong, but the original library which the above example was based on does not show that behavior. See the demos of the original at www-cs-students.stanford.edu/~tjw/jsbn/

It might be due to the fact that the original has seen some bugs fixed (see its history) since it was taken over to the “ats.oka.nu” implementation in what appears to be 2009 in its description. (Or since it was taken over to the other above “bestmike007.com” implementation for that matter, in what appears to be 2011 in the blog.)

Just an additional side note: The above “ats.oka.nu” also has a description of its larger library (of which the above RSA implementation is a part) under ats.oka.nu/titaniumcore/js/crypto/readme.txt In case it's of any use... That library is unter LGPL and the "original" under the BSD license.
Last Edit: 10 Nov 2012 00:54 by Joe. Reason: Clarification concerning the "larger library" description
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 06 Dec 2012 23:08 #2092

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
Hi, Joe.
So far I have been answering your messages but I wasn´t deeping into them too much. I have had a lot of work.
Now, I have been reading the links you have provided me. I would just like to make know that Encryption Configuration doesn´t encrypt just the password. This would cause that the encrypted text to be the same all the times.
Instead of that it creates a random value that is added to the password. On decryption this generated value is checked against the original generated value.
This guarantees two things:
1- The encrypted text is always different. MITM can´t use brute force to guess the password.
2- You can use the encrypted text to login just once. MITM can´t use the encrypted text to login because the random value is erased after use.

But, anyway, I am going to add RSA padding.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 07 Dec 2012 02:41 #2093

  • Joe
  • Joe's Avatar
  • Offline
  • Junior Member
  • Posts: 23
  • Thank you received: 1
Hi Ratmil,

Thank you very much for looking into this.

I might be wrong, but the point number 1 above is not really guaranteed. Because the added random number is generated by the server and sent to the client, it is also known to the MITM. It therefore does not add any additional security in this case. I.e., instead of just trying to brute force the password as follows:
plain text password (TRY) → encrypted password (KNOWN)

The MITM (or rather an entity processing the recorded data after the act, instead of during it) would just do:
plain text password (TRY) + random value (KNOWN) → encrypted password (KNOWN)

Which is the same, except for the trivial point of adding a known number before encryption. That makes the RSA padding still necessary.

The point number 2, on the other hand, where the above random number is used as a session token, is indeed guaranteed and very necessary.

I truly appreciate your work on this very useful plug-in.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 07 Dec 2012 03:00 #2094

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
You are right.
Anyway, I already had made my mind to use padding.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 09 Dec 2012 03:38 #2095

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
Check private message.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.

Re: Usage of RSA padding by Encryption Configuration 10 Dec 2012 08:42 #2096

  • Ratmil
  • Ratmil's Avatar
  • Offline
  • Administrator
  • Posts: 1487
  • Thank you received: 25
Hi, check pm again.
If I don't provide the answers you are looking for, I may provide the questions you need to find the answers yourself.
The administrator has disabled public write access.
Time to create page: 0.218 seconds
Powered by Kunena Forum