7

Firstly, bear with me, I'm relatively new to cryptography. In a recent static analysis scan of our application, one of the findings complained that we are using ECB:

A mode of operation of a block cipher is an algorithm that describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block. Some of the modes of operation include ECB (Electronic Codebook), CBC (Cipher Block Chaining) and CFB (Cipher Feedback). ECB mode is inherently weak, because it results in the same ciphertext for identical blocks of plaintext. CBC mode does not have this weakness, making it the superior choice.

We are using ECB with RSA. Our understanding is that RSA doesn't support anything other than ECB as it doesn't permit a block size bigger than the size of the key's modulus, and therefore would only ever encrypt a single block (or throw an exception if breaching block size). Our suspicion therefore is that the static code analysis tool is searching for 'ECB' in our code base irregardless of the crypto algorithm used.

Given our choice of an RSA crypto algorithm, is there an inherent weaknesses using ECB mode?

Chris Knight
  • 181
  • 1
  • 1
  • 5

2 Answers2

18

It is highly misleading to call how RSA Encryption is used as 'ECB mode'.

With ECB mode, we break the plaintext into N bit segments, and send each one through the block cipher separately. The block cipher is deterministic, and so if two plaintext blocks happen to be the same, so will the corresponding ciphertext blocks.

Now, with RSA encryption, we take the short message, and some randomness, stir them together (using a padding method), and send that through the RSA primitive, resulting in the ciphertext. If we encrypt the same message again, well, we'll stir in different randomness, resulting in a different looking ciphertext. Hence, we avoid the problems inherent with ECB mode (and thus it is rather inappropriate to call what we do with RSA 'ECB mode').

Now, some closing comments:

  • The above assumes that you are using a known-good RSA padding method, such as OAEP. If you aren't, and are instead using 'textbook RSA' (which is just to take the message, interpret it as a large integer, and send that to the RSA primitive), then there are a number of security problems you can run into, in addition to determinism. If that is the case, you definitely need to fix it.

  • Someone could devise a CBC-type mode for doing RSA encryption (by breaking up the message into separate blocks, and doing an "add mod N" of the ciphertext of one block to the plaintext of the next). We never do so, because of efficiency - if we ever need to RSA encrypt a long message, a far more efficient approach would be to pick a random (say) AES key, RSA encrypt the AES key, and then AES encrypt the actual message with the AES key. Because AES is far more efficient than RSA, this is faster (and we retain the only-someone-with-the-private-key-can-decrypt property of pure RSA).

poncho
  • 154,064
  • 12
  • 239
  • 382
1

"We are using ECB with RSA": It's difficult to understand what you mean by this; nobody does it, ever, so we have no "default meaning" to fall back on. You will have to describe your protocol in more detail, and then we can tell you why it is flawed.

TonyK
  • 402
  • 2
  • 11