Score:0

Is a RSA private key leak possible if I both sign and decrypt?

id flag

Is it possible to leak private key data if attacker control signing request ?

Everyone know $N$ and $E$ because they are public.

My server is designed to decrypt incoming request which is encrypted with public key.

Make sign and for decrypted data which have SHA-2 return back RSA sign for that data.

Is it possible that an attacker can learn my private key?

I am testing this in my local workshop for education purposes.

I am using PKCS#1 public key encrypted message for incoming request; data is decrypted by my private key and its have SHA-2 so I just sign & return back signed data to client.

Example in Python:

Message & key pair generation:

message = struct.pack('>IIII', 0, 0, 0, 1)
(pub, priv) = rsa.newkeys(512) //only for example, I know no one uses 512 bit

Incoming request:

encrypted = pkcs1.encrypt(message, pub) 

Server operations:

decrypted = pkcs1.decrypt(encrypted, priv)
signature = pkcs1.sign(decrypted, priv, 'SHA-256')

and return back answer.

fgrieu avatar
ng flag
Are side-channel attack (timing, power analysis..) left aside? Can it be assumed the private key $(N,D)$ is only used to compute the function $X\mapsto X^D\bmod N$? If yes to both: there's no known way the (or a working) private key can leak. But perhaps you are also interested in the server being abused to decipher or sign, there might be attacks allowing that. Independently: please clarify. Use "signature" when it's meant a piece of data, and "sign" for the action of making a signature. What's hashed with SHA2? Exactly how is the result used? Do encryption and signing use padding?
rockymaster avatar
id flag
i have updated my question and added sample too.
fgrieu avatar
ng flag
There remains a lot of room for improvement of form: _"make sign and for decrypted data which have SHA2 return back rsa sign for that data"_ -> _sign the decrypted data with padding using SHA2 and return the corresponding signature_; code [formatting](https://meta.stackexchange.com/questions/22186/how-do-i-format-my-code-blocks), perhaps [Mathjax](https://crypto.meta.stackexchange.com/a/1070/555). And it's missing the essential: are side-channel attack (timing, power analysis..) on the Python crypto libraries considered as valid attacks? These can "leak private key data".
Score:1
ng flag

It appears from the example that encryption and signature use some padding modes in PKCS#1; likely RSAES-PKCS1-v1_5 for encryption and RSASSA-PKCS1-v1_5 with SHA-256 for signature.

Is it possible to leak private key data?

As far as we know, no, the fact that it's deciphered a message and signed it with the same key can not leak private key data. That's independently of the exact padding schemes used for encryption and signature: we just know no way that any use of an RSA private key $(n,d)$ limited to computing $x\mapsto x^d\bmod n$ in a black box free of side channels can leak private key data.

Among similar things that could happen:

  • The implementation could leak the private key by a side channel; such as a down-to-earth trojan program running on the platform, or Differential Power Analysis. There are many other side-channels to fear.
  • The implementation of RSAES-PKCS1-v1_5 decryption might be among the many that are vulnerable to some variant of Bleichenbacher attack. That could allow turning the server into an oracle that allows (with enough queries) computation of the function $x\mapsto x^d\bmod n$ for arbitrary $x$, giving a (very slow) equivalent to knowing the private key to an attacker that can communicate with the server.

It's not academically correct to use the same public/private key pair for encryption and signature, but with the four encryption and signature modes in PKCS#1 it does not enable any known attack. The weakest apparent links in the security chain are

  • The very functionality of the server: it allows to obtain the signature of anything that fits the size limitation for encryption (117 bytes).
  • The 512-bit modulus, which can be factored (that was already possible in the 20th century).
  • The use of RSAES-PKCS1-v1_5 decryption on unauthenticated ciphertext from the open.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.