W3C home > Mailing lists > Public > public-webcrypto@w3.org > June 2016

Re: Testing encrypt with RSA-OAEP

From: Eric Roman <ericroman@google.com>
Date: Thu, 2 Jun 2016 12:02:41 -0700
Message-ID: <CAFswn4kxmYD4-60403iFf4QypPS5vAj2zDD4zOs9eQb_JDvqPg@mail.gmail.com>
To: Charles Engelke <w3c@engelke.com>
Cc: "public-webcrypto@w3.org" <public-webcrypto@w3.org>
This approach SGTM.

On Thu, Jun 2, 2016 at 11:56 AM, Charles Engelke <w3c@engelke.com> wrote:

> Thanks for both suggestions. Unless I hear objections, I'm going to go
> with testing via roundtripping in the browser, plus the extra checks
> Eric has mentioned. That avoid opening a whole can of worms with
> external programs or trying to compile OpenSSL into JavaScript.
>
> I'll also be writing decrypt tests, which won't have this kind of
> problem. That will help assure that roundtripping is a valid way to
> check.
>
> Charlie
>
> On Thu, Jun 2, 2016 at 2:47 PM, Eric Roman <ericroman@google.com> wrote:
> > On Thu, Jun 2, 2016 at 10:44 AM, Charles Engelke <w3c@engelke.com>
> wrote:
> >>
> >> I think I'm done testing encrypt for the various AES modes, and just
> >> have RSA-OAEP to go. But I'm running into a problem: RSA-OAEP injects
> >> randomness when encrypting, so the only way to check that encryption
> >> worked is to see if the result can be decrypted.
> >>
> >> I see three options:
> >>
> >> - assume that if encrypt doesn't throw and exception, it passes
> >>
> >> - check the result of encrypt by using subtleCrypto decrypt to see if
> >> you get the same plaintext back (note that decrypt can be tested with
> >> sample ciphertext so we can tell if it's working separately)
> >
> >
> > I think this second option of round-tripping through decrypt is
> reasonable.
> >
> > We should also do some basic checks on the "shape" of the ciphertext --
> > namely verify its length, and that repeated encryptions yield randomized
> > ciphertext.
> >
> >>
> >> - check the result of encrypt by using an external program to decrypt
> its
> >> result
> >>
> >> The third option seems to be the best in a perfect world. But it would
> >> require the test framework to have an external program that can do
> >
> >
> > If you choose to go this route, you can compile a C implementation used
> for
> > verification (say OpenSSL) down to Javascript using emsripten, and then
> call
> > into that as part of the javascript test.
> >
> > That said, I think the simplicity of roundtrip testing above is a good
> place
> > to start.
> >
> > The interesting compatibility cases are surely going to lie in failure
> > cases, not success cases, hence focusing attention there will yield more
> > fruit IMO, and keep the framework simpler.
> >
> > For instance with OAEP encryption there is interesting interaction
> between
> > the key size, message size, and hash size to test.
> >
> >> RSA-OAEP decryption with all the options subtleCrypto is supposed to
> >> to have: any of the four supported hash functions, and with and
> >> without the optional label. OpenSSL, for example, seems to only
> >> support SHA-1 and no label.
> >>
> >>
> >> I'd appreciate any suggestions on how to proceed (and would also
> >> appreciate pointers on how to extend the framework to use an external
> >> program if that's the needed solution).
> >>
> >> Thanks,
> >>
> >> Charlie
> >>
> >
>
Received on Thursday, 2 June 2016 19:03:10 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 2 June 2016 19:03:11 UTC