You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
Location: algo_rs.go:79;
Broken rule: R-07: RSASSA-PKCS1-v1_5 is deprecated;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.
The text was updated successfully, but these errors were encountered:
Hello,
Thank you for your feedback. Here, we would like to supplement several explanations according to your question:
Two padding algorithms are provided in the official Go cryptographic library for RSA: PKCS\#1-v1.5 and optimal asymmetric encryption padding (OAEP). As PKCS\#1-v1.5 padding format may be used to recover the RSA private key in different settings [1], thus new secure padding method (i.e., OAEP) is proposed and recommended.
We hope these answers could be acceptable for you.
[1] Sazzadur Rahaman, Haipeng Cai, Omar Haider Chowdhury, and Danfeng Daphne Yao. 2021. From Theory to Code: Identifying Logical Flaws in Cryptographic Implementations in C/C++. IEEE Transactions on Dependable and Secure Computing (2021)
[2] Jakob Jonsson and Burt Kaliski. 2003. Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447. (Feb. 2003). https://doi.org/10.17487/RFC3447
Thanks again.
Sincerely,
CryptoGo Team.
------------------ 原始邮件 ------------------
发件人: "cristalhq/jwt" ***@***.***>;
发送时间: 2022年8月28日(星期天) 晚上6:19
***@***.***>;
***@***.******@***.***>;
主题: Re: [cristalhq/jwt] Crypto Go :we are a research group to help developers build secure applications. (Issue #131)
Hi,
Broken rule: R-07: RSASSA-PKCS1-v1_5 is deprecated;
deprecated by who?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.Message ID: ***@***.***>
Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
Location: algo_rs.go:79;
Broken rule: R-07: RSASSA-PKCS1-v1_5 is deprecated;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.
The text was updated successfully, but these errors were encountered: