2

Help, anybody could give me a Java implementation of RSA/CBC? Audit said RSA/ECB/PKCS1Padding is too weak cannot put into law court. (Is he challenging Java PKI in fact? He suggested AES...) I know nothing about Bouncy Castle, tell me if I can plug in.

http://bouncy-castle.1462172.n4.nabble.com/RSA-CBC-encoding-td1465404.html

Calvin Lee
  • 97
  • 1
  • 7
  • 4
    There is no such thing as a RSA/CBC. You probably misunderstood the audit, or the auditor is an idiot. Or both. – President James K. Polk Nov 02 '11 at 23:37
  • @GregS Why is there no such thing as RSA/CBC? I was under the impression that CBC worked with any cipher. – Cory G. Dec 03 '11 at 16:51
  • 1
    @Pwngulator: It works with any *block* cipher. Theoretically you can define a CBC-like mode even for RSA, but it really doesn't make much sense and there are no implementation of such a thing anywhere. However, as an intellectual exercise, you can think about how you'd define something like CBC mode with RSA. – President James K. Polk Dec 03 '11 at 22:20

1 Answers1

3

I think it's natively supported by the JDK. See http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html

But AES and RSA are two very different algorithms, which are not normally used for the same kind of problem. You would typically use RSA in a handshake to negociate a secret AES key, and use AES to encrypt the rest of the conversation.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • 1
    Your suggestion of exchanging AES key by RSA is good. I think the explanation helps: https://www.owasp.org/index.php/Digital_Signature_Implementation_in_Java "When creating a symmetric cipher to encrypt the plaintext message, use "AES/CBC/PKCS5Padding" and choose a random IV for each plaintext message rather than using simply "AES", which ends up using "AES/ECB/PKCS5Padding". ECB mode is extremely weak for regular plaintext. (It is OK for encrypting random bits though, which is why it is OK to use with RSA.) " – Calvin Lee Nov 03 '11 at 01:11
  • Oracle JDK comes with very selected combinations of algorithm and sequence operators as ECB / CBC. RSA/ECB is among them, no CBC for RSA. "Audit" is right; as some President James K. Polk tried to express above, decryption of RSA is quite slow. That's why aggregation of RSA messages (as CBC) is not commonly supported; still makes sense, if parameters of a secondary encryption system as AES do not fit in a single RSA message. Chain modes may certainly be realized for RSA https://de.wikipedia.org/wiki/Cipher_Block_Chaining_Mode – Sam Ginrich Apr 06 '21 at 18:13