[djsumdog]

This article doesn't mention openssl or ssh-keygen. Are the standard commands we see in most articles for creating keys via these two popular tools compromised in any way?

I never roll my own encryption, and most developers don't (unless they're just playing with stuff and learning how to understand it; and not use it in production). I stick to standard tools and libraries like Legion of the Bouncy Castle and pypi RSA.

I wish this article covered the way most developers interact with RSA libraries and showing us those specific problems.

[lvh]

Some keygen is busted, but openssl RSA (as well as ssh-keygen) are probably fine. Part of the problem there is "probably": turns out RSA keygen is a lot harder than ECC keygen. (Since ROCA broke a bunch of RSA keygen, our confidence in e.g. openssl's keygen is increased.)

Using standard tools like PyPI RSA, however, does not necessarily save you. Not only will openssl's RSA happily generate a bad key for you if you ask it nicely, Because it's pure Python, there's a good chance it's vulnerable to side channel attacks. Also, it uses PKCSv15 padding for encryption, and is therefore definitely vulnerable to the Bleichenbacher attack mentioned in the article, for example.

Just use libsodium's box.

[tabletopneedle]

If you're on Python and you for some weird reason absolutely have to use RSA, make sure to use RSA-OAEP and the pyca/cryptography library: https://cryptography.io/en/latest/hazmat/primitives/asymmetr...

sybrenstuvel/python-rsa/ is PKCSv1.5 which like lvh said, is not secure.

RSA is fundamentally less secure than Diffie-Hellman as it lacks forward secrecy. So even a perfect implementation is still less secure.