[cryptography] Questions about crypto in Oracle TDE

Adam Back adam at cypherspace.org
Fri Nov 9 12:50:45 EST 2012

On Fri, Nov 09, 2012 at 09:36:41AM -0800, Morlock Elloi wrote:
>As long as each encryption of the same plaintext yields the same
> ciphertext, indexing works.  However, the space is tight - plaintext size
> is close to the cipher capacity.

is there an inferred "so we have no space to pad the plaintext" there?

> BTW, the same plaintext is never encrypted with different keys, so CRT
> doesn't work.

Well that maybe, but without padding RSA(a)*RSA(b) == RSA(a*b) so the
attacker can create fake data or test values by using multiplication.

eg values a,b,c,d, etc

He can create new values k*a for any integer k (as encryption is public)
RSA(k*a) = RSA(k)*RSA(a); he can test multiples.. RSA(b) =? RSA(k)*RSA(a)
he can compare values with multiples of other values: RSA(c) =?
RSA(a)*RSA(b) and any variation thereof.

With some knowledge of the domain of the values, and given arbitrary known
plaintext-ciphertext pairs (being public key crypto) thats a fair amount of
rope for an attacker to play with.

Not ECB, but its something else fragile with its own problems...


>> Do you do any padding?  If not you might be vulnerable
>> to multiplication because:
>> RSA(a)*RSA(b) == RSA(a*b)
>> and if you are doing padding (eg with random inputs if any
>> seeded by the
>> plaintext and a fixed secrete seed), then you need
>> rigorously verify the
>> padding on decrypt or the padding may not defend against
>> multiplication.
>cryptography mailing list
>cryptography at randombit.net

More information about the cryptography mailing list