Missing padding for RSA algorithm
Context used in encryption or signing operation is not associated with any padding
Description
This defect occurs when you perform RSA encryption or signature by using a context object without associating the object with a padding scheme.
For instance, you perform encryption by using a context object that was initially not associated with a specific padding.
ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_NO_PADDING); ... ret = EVP_PKEY_encrypt(ctx, out, &out_len, in, in_len)
Risk
Padding schemes remove determinism from the RSA algorithm and protect RSA operations from certain kinds of attack. Padding ensures that a given message does not lead to the same ciphertext each time it is encrypted. Without padding, an attacker can launch chosen-plaintext attacks against the cryptosystem.
Fix
Before performing an RSA operation, associate the context object with a padding scheme that is compatible with the operation.
- Encryption: Use the OAEP padding scheme. - For instance, use the - EVP_PKEY_CTX_set_rsa_paddingfunction with the argument- RSA_PKCS1_OAEP_PADDINGor the- RSA_padding_add_PKCS1_OAEPfunction.You can also use the PKCS#1v1.5 or SSLv23 schemes. Be aware that these schemes are considered insecure.- ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING); - You can then use functions such as - EVP_PKEY_encrypt/- EVP_PKEY_decryptor- RSA_public_encrypt/- RSA_private_decrypton the context.
- Signature: Use the RSA-PSS padding scheme. - For instance, use the - EVP_PKEY_CTX_set_rsa_paddingfunction with the argument- RSA_PKCS1_PSS_PADDING.You can also use the ANSI X9.31, PKCS#1v1.5, or SSLv23 schemes. Be aware that these schemes are considered insecure.- ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING); - You can then use functions such as the - EVP_PKEY_sign-- EVP_PKEY_verifypair or the- RSA_private_encrypt-- RSA_public_decryptpair on the context.
If you perform two kinds of operation with the same context, after the first operation, reset the padding scheme in the context before the second operation.
Examples
Result Information
| Group: Cryptography | 
| Language: C | C++ | 
| Default: Off | 
| Command-Line Syntax: CRYPTO_RSA_NO_PADDING | 
| Impact: Medium | 
Version History
Introduced in R2018a
See Also
Incompatible
                padding for RSA algorithm operation | Missing blinding
                for RSA algorithm | Nonsecure RSA
                public exponent | Weak padding for
                RSA algorithm | Find defects (-checkers)
Topics
- Interpret Bug Finder Results in Polyspace Desktop User Interface
- Interpret Bug Finder Results in Polyspace Access Web Interface (Polyspace Access)
- Address Results in Polyspace User Interface Through Bug Fixes or Justifications
- Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access)