[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
http://www.rsa.com/rsalabs/cryptobytes/
FYI.
---------- Begin Forwarded Message ----------
From: <[email protected]>
Message-ID: <[email protected]>
Date: Fri, 05 Jan 1996 12:31:08 EST
Subject: Recent cryptographic findings
To: [email protected]
For those who may not have seen it, the most recent issue of CryptoBytes (Vol1,
No. 3) put out by RSA Laboratories has a wealth of information in it. I have
not had the time to fully digest the importance of all of the articles, but in
the first one Adi Shamir has proposed an "unbalanced RSA" variant of RSA which
"makes it possible to increase the modulus size from 500 bits to 5,000 bits
without any speed penalty."
Another article discusses means of deliberately constructing collisions (due to
Hans Dobbertin of the German Information Security Agency) when using MD4, and
concludes that "where MD4 is in use, it should be replaced." So far, at least,
it appears that MD5, RIPEMD, and SHA-1 would resist this kind of attack, but a
certain amount of nervousness might be in order.
(Hugo Krawczyk of IBM Research and I considered some of these possibilities in
conjunction with work we did on the SEPP protocol, which uses a salted hash
function as a means of confirming the knowledge of a secret to a third party
without having to use encryption. We were concerned that collisions might be
possible, and also that it might be possible to partially reverse a hash
function and glean at least information about the message that was being
hashed, (the credit card number) in the case of a very short message. We ended
up proposing a combination 140-bit hash function which includes both MD5 and
SHA-1, assuming that it would be much more difficult to break both algorithms
than just one. I will post the analysis to this list in a subsequent message.)
Finally, Burt Kalisky provides a compendium of some of the possible attacks
against RSA, and discusses simple and practical countermeasures.
It seems to me that the most important of the various attacks involve the
encryption and decryption of small messages. Since small messages are
frequently generated for key exchange and for signature purposes, it is
important that we consider these issues carefully. In particular, the use of
pseudo-random padding for both encryption (a la the Bellare-Rogaway Optimal
Asymmetric Encryption Padding) seems very beneficial, and padding is also
important in the signature block.
This group certainly ought to examine these issues very carefully, and we
should probably give serious consideration to adopting OAEP for message
encryption and key exchange. I believe we should also give serious
consideration to a increased length message digest function such as SHA-1, and
perhaps incorporate the use of multiple message digest algorithms for
particularly important signatures , e.g., CA certificates.
The back issues of CryptoBytes are available at
http://www.rsa.com/rsalabs/cryptobytes/.
Bob
----------------------------
Robert R. Jueneman
GTE Laboratories
1-617-466-2820 Office
"The opinions expressed are my own, and may or may not
reflect the official position of GTE, if any."
----------- End Forwarded Message -----------