[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Quoting Portions of a Signed Document
> You could just use RSA encryption to encrypt the message in the following
> manner:
>
> The user encrypts the message with his *private* key.
That's a signature.
...
> At a bare minimum this would have to be done on a level of granularity of a
> sent[e]nce to have any meaning at all and even then [its] rel[e]vance would
> be questioned.
Quoting in the real world is like that (although that would allow you to
transpose/repeat sentences [?]). The problem is more one of having too much to
sign (processor time/bandwidth), but I think you're always going to have that
with a small granularity. Also, when not using a hash, you have to worry about
chosen-gidget attacks (see the excerpt from the PGP Attack FAQ after my
.sig...).
> - ---------------------------------------------------------------
> William H. Geiger III http://users.invweb.net/~whgiii
> Geiger Consulting Cooking With Warp 4.0
>
> Author of E-Secure - PGP Front End for MR/2 Ice
> PGP & MR/2 the only way for secure e-mail.
> OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html
> - ---------------------------------------------------------------
---------------------------------------------------------------------------
Randall Farmer
[email protected]
http://hiwaay.net/~rfarmer
---------------------------------------------------------------------------
>From the PGP Attack FAQ:
Choosen cipher-text attack
An attacker listens in on the insecure channel in which RSA messages
are passed. The attacker collects an encrypted message c, from the
target (destined for some other party). The attacker wants to be able
to read this message without having to mount a serious factoring
effort. In other words, she wants m=c^d.
To recover m, the attacker first chooses a random number, r<n. (The
attacker has the public-key (e,n).) The attacker computes:
x=r^e mod n (She encrypts r with the target's public-key)
y=xc mod n (Multiplies the target ciphertext with the temp)
t=r^-1 mod n (Multiplicative inverse of r mod n)
The attacker counts on the fact property that:
If x=r^e mod n, Then r=x^d mod n
The attacker then gets the target to sign y with her private-key,
(which actually decrypts y) and sends u=y^d mod n to the attacker. The
attacker simply computes:
tu mod n = (r^-1)(y^d) mod n = (r^-1)(x^d)(c^d) mod n = (c^d) mod n
= m
To foil this attack do not sign some random document presented to you.
Sign a one-way hash of the message instead.
_________________________________________________________________
HTML 3.2 Checked!
Last modified: 19 Nov 1996
Author: infiNity <[email protected]>
Comments: [email protected]
This document was generated with Orb v1.3 for OS/2.