3
$\begingroup$

My own understanding (possibly wrong of course) of RSA-OAEP encryption scheme is that it provides plaintext integrity (in addition to confidentiality) due to MGF function which for encryption operation, applies to maskeDB sequence which value directly depends of input M (plaintext) message, and is further checked during decryption operation.

However in previous post on that subject, the answer indicated that no public key encryption scheme can satisfy INT-PTXT (nor INT-CTXT) requirements

So is it possible to have confirmation if rsa-oaep insures integrity of input symmetric session key to be encrypted or if it is recommended with rsa-oaep to encrypt a symmetric session key appended with a hash or eventually crc value for insuring integrity ?

Improve this question
$\endgroup$
0

2 Answers 2

Reset to default
6
$\begingroup$

RSA-OAEP does not provide "plaintext integrity in addition to confidentiality". ​ By the definition of PKE, anyone with the public key can encrypt whatever plaintexts they choose. ​ In particular, encrypting "a symmetric session key appended with a hash or eventually crc value for insuring integrity" doesn't help. ​ To get integrity, there has to be something [the honest party knows which the adversary doesn't know] or [the honest party can do that the adversary can't do].

Improve this answer
$\endgroup$
4
  • $\begingroup$ Wouldn't that constitute a "no" instead of a "yes"? $\endgroup$ Commented Jan 3, 2016 at 2:54
  • $\begingroup$ Good point. ​ ​ ​ $\endgroup$ Commented Jan 3, 2016 at 3:27
  • $\begingroup$ @Ricky Demer : thks I understand your answer, as anyone can encrypt anything using public key, there is no valid reference to insure plaintext integrity following decryption- I have been a little bit confused by following EMC/RSA [document ](lists.w3.org/Archives/Public/public-xmlsec/2009May/att-0032/…) which claims integrity with rsa-oaep in page 5. May integrity have another meaning in that case ? $\endgroup$ Commented Jan 3, 2016 at 11:51
  • $\begingroup$ They presumably mean non-malleability. ​ ​ $\endgroup$ Commented Jan 3, 2016 at 21:24
2
$\begingroup$

My understanding is that RSA-OAEP provides some sort of alteration detection of some data effectively generated during the OAEP phase, but it may not be considered as a real authenticity.

Improve this answer
$\endgroup$
1
  • $\begingroup$ Right. RSAES-OAEP insures is that in order to produce a ciphertext that decrypts, adversaries must know in it's entirety the plaintext that will be produced by the decryption. In particular, from ciphertext for a message with an unknown fragment it's not possible to make ciphertext deciphering to something related in a known way to that fragment. Adversaries can create encrypted messages, but not alter encrypted messages. $\endgroup$ Commented Jan 8 at 15:14

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.