Ruby's RSA crypto bug near miss

The Ruby developers had a near miss with a crypto disaster when an "awful bug" crept into the language's source code development tree. A simple programming error made the library generate RSA keys that caused the encryption mechanism to produce clear text. Luckily, the error was caught before it made it to any release version of Ruby, but it provides a good example of how a simple error can have potentially far-reaching effects.

The RSA asymmetric encryption technique differentiates between secret and public keys. The public key consist of a modulus n and an exponent e. The plain text, m, is encrypted according to the mathematical formula

c = m^e mod n

The point is that the cipher, c, can usually only be decrypted with the secret key. However, the Ruby bug generated RSA keys with an exponent e=1. This only leaves

c = m mod n 

As m is always less than n, the RSA formula collapses into a variation of the legendary ROT26 cipher :

c = m 

Among other things, RSA is used for digital signatures. A signature generated with a key from a Ruby system with the defect is equivalent of a blank cheque, as it will cause any signature to be considered valid. Incidentally, the problem was caused by a trivial programming error that has nothing to do with cryptography: in a for loop for setting individual bits, the criterion for abandoning the loop was set incorrectly, causing every loop to be abandoned after the first iteration.

The problem only affects programs that have generated RSA keys with development versions of Ruby. The recent release of Ruby 1.9.3 is not affected by the problem. Where the problem does exist, the encryption and decryption functions appear to be working correctly; the bug has no effect on externally generated keys that are imported. Users of the development version of Ruby should check their Ruby programs if they generate keys and, if necessary, generate new keys as soon as possible.

(djwm)