You know in PHP public key encryption is wrong-vulnerability warning-the black bar safety net

Last year, our security team to confirm the CVE-2015-7503 vulnerability, aka ZF2015-10, which is a in using the RSA process, the emergence of functional vulnerability exists in Zend Framework cryptographic library.
The actual vulnerability with PKCS1v1. 5 method of filling the RSA cryptosystem“filling prophecy”vulnerability was originally developed by Daniel Bleichenbacher in 1998 released out.“ Filling prophecy”vulnerability allows an attacker with an encrypted message, and repeatedly sends a modified ciphertext to the server(each time getting a filling error of identification),based on the return error identification, it is possible to recover the original information.
People might want any allow the attacker to restore the original information of the vulnerability,“filling prophecy”has been found more than sixteen years, the developer should understand, and reduce the exploit of the possibilities.
Unfortunately, when we examine the PHP software, including open source and proprietary, we find that even in 2016 the preparation of application-layer encryption Protocol, still the existence of this vulnerability by this method go on the attack.
We believe that this result of the factors has two main aspects:

1. Most of the developers on how to in all languages in the secure implementation of public key encryption understanding is not enough.
2. PHP OpenSSL extension in the default configuration is unsafe, but in actual operation, no one is going to modify the default configuration.
   Quick solution: use a secure PHP public-key encryption library
   If you have so many“why insecure”not interested, you can directly see this:“for your PHP project, select a proper encryption library.”
   RSA is how to go bad
   When it comes to application-layer encryption, using RSA is simply an error. This does not mean that you should program is a complete failure. In any case, you have to avoid a lot of the RSA implementation flaws(some are explicit, some not obvious)。 Let’s take a look at some of the PHP developer may encounter.
3. The default security configuration will have everyone fooled
   In PHP, most of the RSA in the implementation process will use the following two functions:
   openssl_public_encrypt()
   openssl_private_encrypt()
   Take a look at a both the function prototype and has a default configuration:
   ! [](/Article/UploadPic/2016-12/20161222201627144. png? www. myhack58. com)
   OPENSSL_PKCS1_PADDING constants tell the OpenSSL extension:”we want to use PKCS1 padding method.“ But we’ve said before, the use of PKCS1v1. 5 method of filling the RSA cryptosystem, there is filled the prophecy of weakness, which is from 1998 has been disclosed. Since the attacker in order to recover the plaintext, you may need a million message attack cost, so this attack is more commonly known as the “million message attack”.
   Solution is no matter when you use these two functions, we need to use OPENSSL_PKCS1_OAEP_PADDING constant. This constant will be forced to use OAEP padding method instead of unsafe PKCS1 V1. 5 filling method.
   In our experience, in fact no one to do so(unless on our team there is someone to help it pointed out): the
   Zend\Crypt didn’t
   Sikker (PHP security library) didn’t
   Pikirasa (PHP cryptography library) didn’t
   Minds (social network allegedly backed by “Anonymous”) didn’t
   Even experienced encryption developers in the use of RSA encryption, often will forget to use OAEP with.
   Therefore, if you need to force the use of public-key algorithms(either as a developer or a penetration tester), and when you mentioned the RSA algorithm, and also talk about the”2048bit key enough? Or do I need to use 4096bit?“ Please first check you are using the fill method. You most likely only need a few thousand pieces of information will be able to recover the plaintext, thereby completely the application of the security void.
4. The direct use of RSA encryption of the dangers of
   If you have read the previous content, and have thought,”Well, if I only remember to use OAEP, I can be unhindered, directly using RSA to encrypt any information?” Not so fast, you best not to use RSA encryption of long messages.
   When faced with encrypted information, most developers are smart: they will split the information into a 214-byte block of information(for 2048bit key), and for each block were encrypted, it can simply be RSA this mode is called ECB Mode.
   If you do so, the attacker may not go to recover your plaintext, but as said before, RSA is very slow, the offender might take advantage of this feature, go to LaunchDDOSattacks, so it is easy to expand theDDOS, and for RSA to LaunchDDOSattack does not need to use the obvious method of attack, you may only need to use the copy, reorder, or delete 214 bytes block method, instead of creating a decryption error.
   Using a hybrid cryptosystem
   The best realization of public-key cryptography method is to build a hybrid encryption system. Combination of symmetric cipher and asymmetric cipher. Doing so has the following benefits:
   High efficiency: a symmetric cipher encryption speed than the asymmetric cryptography is much faster
   Applicability: the message length there is no practical limit
   Security: look to the surface
5. Hybrid RSA+AES
   The combination of RSA and AES typically necessary to:
   (1)with a symmetric key using a symmetric cipher to encrypt the message.
   (2)The use of public key cryptography cryptography(1)symmetric key, so only the private key of the party can decrypt the symmetric key, and use it.
   Zend\Crypt in 3. 1. 0 version later, you have to pay the hybrid RSA-AES encryption system, and use the EasyRSA library. In the Zend Framework documentation, it uses the hybrid encryption scheme works understood very well.
   Due to the existing AES key sizes, you need to encrypt data only the 16, 24, or 32byte, which is far less than 2048bit RSA of the maximum permissible 214bytes it. The actual data is encrypted using the CBC mode of the AES,or is the CTR mode of the AES. For most applications, this encryption of the message length there is no practical upper limit.
6. Mixed ECDH+Xsalsa20-Poly1305
   Libsodium Crypto library based on the use of elliptic curve DH key exchange algorithm instead of RSA, is used to negotiate the shared key, the shared key is xsalsa20-poly1305 is used for message encryption and ciphertext identified.
   Related functions for crypto_box () is.
   When you want to use the recipient’s public key to encrypt data(i.e. the sender cannot decrypt), the Libsodium another function is for each message, generates a random public-private key pair and the public key is appended to the ciphertext back called crypto_box_seal (a).
   For RSA the modulus of the attack is a long-term threat
   RSA Security is based on maximum decomposition of the difficulty, however, in the near future, that a security guarantee would face two major threats:

[1] [2] next