Score:0

Crypto

Is a RSA private key leak possible if I both sign and decrypt?

rockymaster

1/22/23, 4:22 PM

Is it possible to leak private key data if attacker control signing request ?

Everyone know $N$ and $E$ because they are public.

My server is designed to decrypt incoming request which is encrypted with public key.

Make sign and for decrypted data which have SHA-2 return back RSA sign for that data.

Is it possible that an attacker can learn my private key?

I am testing this in my local workshop for education purposes.

I am using PKCS#1 public key encrypted message for incoming request; data is decrypted by my private key and its have SHA-2 so I just sign & return back signed data to client.

Example in Python:

Message & key pair generation:

message = struct.pack('>IIII', 0, 0, 0, 1)
(pub, priv) = rsa.newkeys(512) //only for example, I know no one uses 512 bit

Incoming request:

encrypted = pkcs1.encrypt(message, pub)

Server operations:

decrypted = pkcs1.decrypt(encrypted, priv)
signature = pkcs1.sign(decrypted, priv, 'SHA-256')

and return back answer.

256

0 + 0

rsa

public-key

fgrieu

1/22/23, 4:41 PM

Are side-channel attack (timing, power analysis..) left aside? Can it be assumed the private key $(N,D)$ is only used to compute the function $X\mapsto X^D\bmod N$? If yes to both: there's no known way the (or a working) private key can leak. But perhaps you are also interested in the server being abused to decipher or sign, there might be attacks allowing that. Independently: please clarify. Use "signature" when it's meant a piece of data, and "sign" for the action of making a signature. What's hashed with SHA2? Exactly how is the result used? Do encryption and signing use padding?

rockymaster

1/23/23, 11:21 AM

i have updated my question and added sample too.

fgrieu

1/23/23, 11:34 AM

There remains a lot of room for improvement of form: _"make sign and for decrypted data which have SHA2 return back rsa sign for that data"_ -> _sign the decrypted data with padding using SHA2 and return the corresponding signature_; code [formatting](https://meta.stackexchange.com/questions/22186/how-do-i-format-my-code-blocks), perhaps [Mathjax](https://crypto.meta.stackexchange.com/a/1070/555). And it's missing the essential: are side-channel attack (timing, power analysis..) on the Python crypto libraries considered as valid attacks? These can "leak private key data".

Score:1

Crypto

fgrieu

1/23/23, 12:22 PM

It appears from the example that encryption and signature use some padding modes in PKCS#1; likely RSAES-PKCS1-v1_5 for encryption and RSASSA-PKCS1-v1_5 with SHA-256 for signature.

Is it possible to leak private key data?

As far as we know, no, the fact that it's deciphered a message and signed it with the same key can not leak private key data. That's independently of the exact padding schemes used for encryption and signature: we just know no way that any use of an RSA private key $(n,d)$ limited to computing $x\mapsto x^d\bmod n$ in a black box free of side channels can leak private key data.

Among similar things that could happen:

The implementation could leak the private key by a side channel; such as a down-to-earth trojan program running on the platform, or Differential Power Analysis. There are many other side-channels to fear.
The implementation of RSAES-PKCS1-v1_5 decryption might be among the many that are vulnerable to some variant of Bleichenbacher attack. That could allow turning the server into an oracle that allows (with enough queries) computation of the function $x\mapsto x^d\bmod n$ for arbitrary $x$, giving a (very slow) equivalent to knowing the private key to an attacker that can communicate with the server.

It's not academically correct to use the same public/private key pair for encryption and signature, but with the four encryption and signature modes in PKCS#1 it does not enable any known attack. The weakest apparent links in the security chain are

The very functionality of the server: it allows to obtain the signature of anything that fits the size limitation for encryption (117 bytes).
The 512-bit modulus, which can be factored (that was already possible in the 20th century).
The use of RSAES-PKCS1-v1_5 decryption on unauthenticated ciphertext from the open.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is a RSA private key leak possible if I both sign and decrypt?

TH: คีย์ส่วนตัว RSA รั่วไหลได้หรือไม่หากฉันทั้งลงชื่อและถอดรหัส

RO: Este posibilă o scurgere de cheie privată RSA dacă semnez și decriptez?

RU: Возможна ли утечка закрытого ключа RSA, если я подпишу и расшифрую?

VI: Có thể xảy ra rò rỉ khóa riêng RSA nếu tôi vừa ký vừa giải mã không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.