http://www.roe.ch/advisories/R201101-jcryption-pear-rsa.txt

SWITCH-CERT SECURITY ADVISORY
=============================

Vulnerability:      Insecure Implementation of RSA Encryption
Affected Products:  jCryption, PEAR Crypt_RSA, PEAR Crypt_RSA2
Advisory Date:      2011-11-30
Advisory Author:    Daniel Roethlisberger, SWITCH-CERT


## Introduction

Web applications using jCryption, PEAR Crypt_RSA or Crypt_RSA2 to
provide confidentiality are vulnerable to exposure of the data
protected by RSA encryption.

jCryption is a jQuery based library for encrypted transmission of
HTML form data from web browser to web application.  jCryption is
designed to provide confidentiality against passive attacks.
PEAR Crypt_RSA and Crypt_RSA2 are libraries providing RSA
encryption to PHP/PEAR based web applications.  PEAR Crypt_RSA2
was designed to be compatible with jCryption.

jCryption and PEAR Crypt_RSA2 implement RSA with a static
checksum and no random padding.  PEAR Crypt_RSA implements RSA
with static padding.  The missing randomness in the padding leads
to a loss of semantic security [1] and thus allows the RSA
encryption to be broken [2,3] under realistic real-world
circumstances.


## Affected Products

Vulnerable:
-   jCryption 1.2
-   jCryption 1.1
-   PEAR Crypt_RSA
-   PEAR Crypt_RSA2

Not Vulnerable:
-   phpseclib Crypt_RSA


## Workaround / Solution

Enabling TLS instead of relying on jCryption is a workaround.

In general, only RSA implementations using a secure padding
scheme such as PKCS#1 OAEP [4] should be used, for example the
phpseclib version of Crypt_RSA.


## Technical Description

The cryptographical protocol implemented by jCryption 1.2 is as
follows:

1) Client requests URL.

2) Server generates per-session RSA keypair with e = 0x10001 and
   random primes p and q.

3) Server sends client the HTML form, the jCryption JavaScript
   code and the per-session RSA public key (e, n).

4) Client encrypts form data as follows:
   checksum = checksum(plaintext);
   ciphertext = RSA_encrypt(checksum || plaintext);
   using modulus n, exponent e, deterministic checksum function
   (modular sum of all bytes) and plain RSA in ECB mode with null
   padding.

5) Client sends ciphertext to server, which does the reverse of 4
   to decrypt the message using the per-session private key d.

PEAR Crypt_RSA2 provides RSA encryption/decryption compatible
with jCryption, thus essentially just step 4.

PEAR Crypt_RSA uses a plain RSA operation in the following way:

   ciphertext = RSA_encrypt(plaintext || 0x01);

Using modulus n, exponent e, concatenation ||, and RSA_encrypt()
being plain RSA in ECB mode with null padding.  There is no
randomness in this scheme.

These are essentially plain textbook RSA with deterministic
padding.  There is a number of well-known attacks against plain
RSA [2,3].  An attacker with the ability to sniff HTTP traffic
can use these attacks to break the RSA encryption, which is the
exact attack scenario that jCryption is designed to protect
against.  The most obvious attack: Because the scheme is not
semantically secure [1], an attacker can guess likely plaintexts,
encrypt them using the known public key, and compare the
resulting cyphertext to the original cyphertext.

The attack scenarios for PEAR Crypt_RSA and Crypt_RSA2 depend on
the way they are used by an application, but in general,
confidentiality is lost in the same way.


## Other Attacks

Of course, since the jCryption scheme lacks authentication and
integrity, it is also vulnerable to active attacks (MitM).
However, since jCryption was not designed to protect against
active attacks and does not claim to do so, that's out of scope
of this advisory, even if it is totally relevant in practice.


## Disclosure Timeline

2011-11-30:     Public disclosure due to no response (jCryption)
                and wont fix (PEAR Crypt_RSA) answers.
2011-08-13:     PEAR project forwards initial notification to a
                public mailing list; response: wont fix.
2011-08-10:     PEAR Crypt_RSA original author response: not
                maintained anymore.
2011-08-10:     Initial vendor/author notification for jCryption
                and PEAR Crypt_RSA.
2011-08-02:     Discovery by Daniel Roethlisberger, SWITCH-CERT.


## References

[1] http://en.wikipedia.org/wiki/Semantic_security

[2] http://en.wikipedia.org/wiki/RSA#Attacks_against_plain_RSA

[3] D. Boneh, A. Joux, P. Nguyen:
    Why Textbook ElGamal and RSA Encryption are Insecure
    http://www.comms.engg.sussex.ac.uk/fft/crypto/Why_Textbook_ElGamal_and_RSA_Encryption_are_Insecure.pdf

[4] RFC 3447: Public-Key Cryptography Standards (PKCS) #1:
    RSA Cryptography Specifications Version 2.1
    https://www.ietf.org/rfc/rfc3447.txt

-- 
SWITCH
Serving Swiss Universities
--------------------------
Daniel Roethlisberger, Security Engineer, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 29, fax +41 44 268 15 78
daniel.roethlisberger@switch.ch, http://www.switch.ch