-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RSA "NoPadding" encryption is considered not secure but required by conscrypt to support TLS RSA-PSS signing algorithm #1201
Comments
You're absolutely correct that RSA with no padding is incredibly insecure. However in this case, what is happening is that PSS padding has already been added by BoringSSL, so the "raw" payload that is passed to Android Keystore for encryption is the message digest plus PSS padding, which is equivalent to passing only the message digest and asking Keystore to do the padding. The TLS signing process in Conscrypt is somewhat complex, especially when the private key is "foreign" (i.e. belongs to some other security We have an open bug to improve this to what Chromium uses, because it breaks at least one other hardware-based keystore which assumes a really-raw payload and adds PKCS#1 padding, but it's currently not high on the list. |
Also, we should document this better, so please don't close out this issue just yet! |
Whilst pointing at the code would be a bit hand-wavey, if you need to explain this claim to auditors or similar, you can point out that unless the payload being encrypted was already padded correctly, then verification on the peer would fail and thus the TLS handshake would fail. |
A follow up question is why conscrypt calls encryption operation into keystore provider instead of signature operation when it performs rsa_pss_ signature. When creating the keypair on Android, user can specify both encryption padding and signature padding. Since we are trying to support rsa_pss_ signature algorithms in addition to the old rsa_pkcs1_ signature, I would specify both signature padding like below. This however doesn't have impact and the app still can't handle rsa_pss_ in TLS. The issue is resolved only after adding
Would appreciate if I can learn more context about it. |
Summarize and share my findings here. The padding part has already been explained by Pete above (thanks, Pete). Please keep me honest. The signature is break into two steps by conscrypt:
Since conscrypt has already padded the digest, thus it invokes the RSA "NoPadding" encryption for step 2. This calls into Keystore encryption operation which requires keypair to support KeyProperties.ENCRYPTION_PADDING_NONE. |
Looks like this the PR that implements RSA PSS signature algorithm in conscrypt.
|
@prbprbprb, would you please share me the bug link you mentioned in I would like to monitor it and also review to ensure it aligns with my understanding. My understanding is that the improvement will involve two repos:
|
No, no BoringSSL change is need. BoringSSL's |
Describe the issue:
TLS handshake fails if client certificate keypair is created in Android Keystore which specifies OEAP encryption padding.
setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_OEAP)
This happens when the server requests
RSA-PSS
signature algorithms inCertificate Request
.In order for the keypair to work with RSA-PSS signature, client needs to set 'RSA NoPadding' by
setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.Refs:
https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder#setEncryptionPaddings(java.lang.String[])
https://developer.android.com/reference/android/security/keystore/KeyProperties#ENCRYPTION_PADDING_NONE
There are articles saying that RSA NoPadding shall not be used for encryption as it's not considered sure. Company SDL also forbids using RSA NoPadding encryption. Is there any way that we can explain why RSA NoPadding encryption is needed for TLS RSA-PSS signature and it's secure?
Sample code to reproduce the issue:
Please find the steps to create keypair in Android keystore in previously reported issue: SSL Handshake failure in Android 10 #718
The text was updated successfully, but these errors were encountered: