Re: back to programming projects...

[wcs@anchor.ho.att.com (bill.stewart@pleasantonca.ncr.com +1-510-484-6204)]

> > On a related note, should encrypting remailers have the keys changed
> > regularly?  The RSA-IDEA combination isn't very suspectible to known
> > plaintext attacks, right?

Right.  There are two sets of encryption used in the RSA-IDEA combo:

1) RSA, encrypting a random session key with a public-key algorithm.
By definition, RSA-like public key algorithms can easily have known 
or chosen plaintext generated, since you can encrypt anything you like.
RSA isn't susceptible to known-plaintext (except for verifying that
a (presumably stolen) private key is correct, or by factoring very 
large numbers of very large prime numbers and checking them,
which is computationally infeasible), and any other public key system
that *were* susceptible to known-plaintext attacks wouldn't be very useful.

Major breakthroughs in factoring theory could always change this,
earning mathematical fame and fortune for the discoverer.
Short RSA keys can be factored; you're better off with 1024-bit keys
or longer for anything you're real serious about.

2) IDEA, encrypting the message itself using the session key.
IDEA is not known to be susceptible to anything better than brute force,
so known-plaintext attacks require trying 2**128 keys, which is
computationally infeasible.  Perhaps someone can find a hole in IDEA,
but there's nothing major at present.

3) There's a third component that might use encryption - generating
the "random" session key.  Obviously, if you use the same session
key to send different messages to different people, they might notice.
If you use different session keys to send messages to people,
but the session keys are easily derived from each other,
and one recipient notices the pattern from several messages sent to him,
he might try guessing the key for the next messages you send to
other people.  So use a genuine high-quality random number generator.

There is one more special case, which is sending the same message
to multiple recipients, with the message encrypted once with the session 
key, and multiple versions of the session key encrypted with
each different recipient's public key.  I've forgotten the details,
but if there are more than e recipients, it's possible to crack this.
(e is the encryption exponent, typically 3 or 17.)
That's why PGP and other well-designed systems will pad the session
key with random stuff before encrypting with RSA (which is an essentially
free operation, since the RSA blocksize is much larger than the
session key for IDEA.)

		Bill