[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: [email protected]*Subject*: Re: 50 attacks... [NOISE]*From*: Hal <[email protected]>*Date*: Thu, 19 Oct 1995 07:27:05 -0700*References*: <[email protected]>*Sender*: [email protected]

[email protected] (Dr. Frederick B. Cohen) writes: >3 - I would have figured at least one of you would have looked up the >chosen plaintext attack and told me why Netscape keys can't be gotten >at this way. I think there's an off change I could win a grand! I had missed this in your original posting. Here it is again: > Concept 3 - There is a chosen plaintext attack against the RSA (published > in the 1980s in a Crypto conference (IACR?). > > Attack 50 - Use your Hot Java capability to sign selected > message after message till the attacker derives your private key. > I think this takes one or two messages per bit of private key. Chosen plaintext attacks against RSA don't work in the context of RSA signatures, because the input to the RSA algorithm is a hash of the message being signed. You can't control the hash the way you need to to implement a chosen plaintext attack. (You can't "choose" the hash.) For example, one kind of chosen plaintext attack would be to get an RSA signature on 2, on 3, on 5, on 7, and so on, on all the primes. This would let you create an RSA signature on any number by factoring the number and multiplying the RSA signatures of its prime factors. But there is no way to do this in practice because as RSA-based signatures are actually implemented only hashes are signed. This is done exactly to prevent this and similar attacks. Hal

**Follow-Ups**:**Re: 50 attacks... [NOISE]***From:*[email protected] (Dr. Frederick B. Cohen)

**References**:**Re: 50 attacks... [NOISE]***From:*[email protected] (Dr. Frederick B. Cohen)

- Prev by Date:
**SciAm's Crypto Stego Pushup** - Next by Date:
**Re: STT - useable in real life ?** - Prev by thread:
**Re: 50 attacks... [NOISE]** - Next by thread:
**Re: 50 attacks... [NOISE]** - Index(es):