Hess Yvan wrote:
> - Does it means that XML apache security using RSA/ECB/PKCS1Padding is
> the correct one and that IBM XSS4J contains a critical bug ?
> - Is it right to map RSA 1.5 alg to a Java Cipher "RSA/ECB/PKCS1Padding"
> ?
PKCS1Padding is the most common form of padding for RSA. There is also
OAEP, which is supported within the dsig spec.
Using RSA without padding is potentially dangerous - lack of padding can
lead to potentially easy to decipher ciphertext when the plain text
sizes are small.
So to answer your questions
- PKCS1 padding is correct, and if XSS4J is uing no padding, it is an
error. However I would be surprised if this were the case - would be
interesting to understand some background.
- Needs to be answered by the more Java minded people, but from memory
that is correct.
Cheers,
Berin
