[Botan-devel] Bug: Dropping leading zeros

Jack Lloyd lloyd at randombit.net
Fri May 28 10:29:41 EDT 2010


On Thu, May 27, 2010 at 02:45:28PM +0200, Rickard Bellgrim wrote:
> Hi
> 
> I think I have found a bug in the RSA Encryptor/Decryptor using EME = "Raw" (PK_Encryptor_EME / PK_Decryptor_EME). I have test data that starts with zeros. This data is then encrypted and decrypted, but the leading zeros are not present in the decrypted data.
> 
> It is similar as the bug in EMSA, but I am using 1.9.7 where it was fixed. 
> 
> testdata (hexadecimal): 0039D9491F783FA63763A138BBA4CD28657D01CF3AF03B30B49B5C710B1DE90CFA15CD12D7DC5D23A2A6D99BEC6C481E8B490A142D25A6018ADF5C6D0B86019C05B2DEC0CA3D7795E4E51C6390688335D0435CB9E1617C4EFA29BE778C32782A067C1E104159893DAA90D1E8B8478CB6ABA34C95977899B8D00CB16731F81156D887B7D740D3B303BB7BF01ECFA6495CE4925AF238E4DE194690FBFFC2F728ED
> 
> decrypted (hexadecimal): 39D9491F783FA63763A138BBA4CD28657D01CF3AF03B30B49B5C710B1DE90CFA15CD12D7DC5D23A2A6D99BEC6C481E8B490A142D25A6018ADF5C6D0B86019C05B2DEC0CA3D7795E4E51C6390688335D0435CB9E1617C4EFA29BE778C32782A067C1E104159893DAA90D1E8B8478CB6ABA34C95977899B8D00CB16731F81156D887B7D740D3B303BB7BF01ECFA6495CE4925AF238E4DE194690FBFFC2F728ED

This seems impossible to fix, at least from my thinking right now. The
problem is that with the raw encoding there is no indicator of length,
etc. So, for instance if you encrypted any of these plaintexts:

AA
00AA
0000AA
000000AA
[and so on]

You would always get an identical ciphertext, so there is seemingly no
meaningful way to say that there were originally N leading zeros in
the plaintext, and not N+1 or N-1. This is somewhat intrinsic to the
fact that bare RSA encrypts integers, not bitstrings, and without a
canonical and unambigious encoding of some kind it's impossible to do
the conversion perfectly losslessly.

-Jack



More information about the botan-devel mailing list