[botan-devel] botan-devel Digest, Vol 110, Issue 1

Stuart Maclean stuart at apl.washington.edu
Tue Jun 3 18:36:48 EDT 2014

On 06/03/2014 03:09 PM, botan-devel-request at randombit.net wrote:
> I am playing with a session key exchange using RSA, I am using Botan 1.8.10
> in Linux.
> In testing, I initially set my session key of 32 bytes to all zeros.  This
> failed to encrypt, I get a Botan error
> terminate called after throwing an instance of 'Botan::Invalid_Argument'
>    what():  Botan: Power_Mod::set_base: arg must be > 0
> Aborted (core dumped)
> I am wondering if this is a bug or whether you simply cannot set the message
> 'm' to zero and expect m^e mod n to work??
> Well, I suppose it would 'work' in the sense that 0^e mod n equals 0
> and 0^d mod n will return the plaintext 0, so RSA is in fact still
> invertible in this case, but isn't a particularly useful case either.
> Strictly speaking obviously modular exponentiation is defined for any
> integer base, but in practice a number <= zero would never happen here
> outside of a bug.
>> NOT memsetting the sessionkey buffer to zero, which will result in undefined
>> data in sessionkey (from the stack) somehow 'fixes' the issue.
> That makes sense as likely at least on bit is then set in the buffer,
> resulting in encrypting a positive integer.
> Please do consider using an padding scheme such as OAEP (called EME1
> in most releases for obscure reasons - see doc/examples/rsa_enc.cpp
> for example usage) as RSA encrypting raw bitstrings in this manner has
> a number of nasty pitfalls. In fact more recent versions remove the
> encrypt() operation on RSA keys entirely, as it was intended only for
> implementing higher-level operations and not directly for use by
> applications. As these padding schemes add both structure and and some
> level of randomization it ensures that even an all-zero string is
> represented as some positive integer, so that encryption works
> normally for any message, even an empty/all-zero one.
> Cheers,
>    Jack

Hi Jack, thanks for the followup.  Eek, I was under the obviously false 
assumption that PKCS1.5 padding WAS being done on my message m BEFORE 
handing it to the rsa.encrypt routine.

If I were to upgrade to a new Botan version, can you point me at the 
relevant classes to perform the same operation, i.e. a rsa key pair used 
for say session key exchange??



More information about the botan-devel mailing list