[botan-devel] Possible to rsa encrypt a zero ?

Jack Lloyd lloyd at randombit.net
Thu May 1 15:53:58 EDT 2014


On Thu, May 01, 2014 at 10:56:20AM -0700, Stuart Maclean wrote:
> I am playing with a session key exchange using RSA, I am using Botan 1.8.10
> in Linux.
> 
> In testing, I initially set my session key of 32 bytes to all zeros.  This
> failed to encrypt, I get a Botan error
> 
> terminate called after throwing an instance of 'Botan::Invalid_Argument'
>   what():  Botan: Power_Mod::set_base: arg must be > 0
> Aborted (core dumped)
> 
> I am wondering if this is a bug or whether you simply cannot set the message
> 'm' to zero and expect m^e mod n to work??

Well, I suppose it would 'work' in the sense that 0^e mod n equals 0
and 0^d mod n will return the plaintext 0, so RSA is in fact still
invertible in this case, but isn't a particularly useful case either.
Strictly speaking obviously modular exponentiation is defined for any
integer base, but in practice a number <= zero would never happen here
outside of a bug.

> NOT memsetting the sessionkey buffer to zero, which will result in undefined
> data in sessionkey (from the stack) somehow 'fixes' the issue.

That makes sense as likely at least on bit is then set in the buffer,
resulting in encrypting a positive integer.

Please do consider using an padding scheme such as OAEP (called EME1
in most releases for obscure reasons - see doc/examples/rsa_enc.cpp
for example usage) as RSA encrypting raw bitstrings in this manner has
a number of nasty pitfalls. In fact more recent versions remove the
encrypt() operation on RSA keys entirely, as it was intended only for
implementing higher-level operations and not directly for use by
applications. As these padding schemes add both structure and and some
level of randomization it ensures that even an all-zero string is
represented as some positive integer, so that encryption works
normally for any message, even an empty/all-zero one.

Cheers,
  Jack


More information about the botan-devel mailing list