[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Quoting Portions of a Signed Document




> You could just use RSA encryption to encrypt the message in the following
> manner:
> 
> The user encrypts the message with his *private* key. 

That's a signature. 

...
> At a bare minimum this would have to be done on a level of granularity of a 
> sent[e]nce to have any meaning at all and even then [its] rel[e]vance would
> be questioned. 

Quoting in the real world is like that (although that would allow you to
transpose/repeat sentences [?]). The problem is more one of having too much to
sign (processor time/bandwidth), but I think you're always going to have that
with a small granularity. Also, when not using a hash, you have to worry about
chosen-gidget attacks (see the excerpt from the PGP Attack FAQ after my
.sig...). 
 
> - ---------------------------------------------------------------
> William H. Geiger III  http://users.invweb.net/~whgiii
> Geiger Consulting    Cooking With Warp 4.0
> 
> Author of E-Secure - PGP Front End for MR/2 Ice
> PGP & MR/2 the only way for secure e-mail.
> OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html
> - ---------------------------------------------------------------

---------------------------------------------------------------------------
Randall Farmer
    [email protected]
    http://hiwaay.net/~rfarmer
---------------------------------------------------------------------------
>From the PGP Attack FAQ:

 Choosen cipher-text attack
  
   An attacker listens in on the insecure channel in which RSA messages
   are passed. The attacker collects an encrypted message c, from the
   target (destined for some other party). The attacker wants to be able
   to read this message without having to mount a serious factoring
   effort. In other words, she wants m=c^d.
   
   To recover m, the attacker first chooses a random number, r<n. (The
   attacker has the public-key (e,n).) The attacker computes:
   
   x=r^e mod n (She encrypts r with the target's public-key)
   
   y=xc mod n (Multiplies the target ciphertext with the temp)
   
   t=r^-1 mod n (Multiplicative inverse of r mod n)
   
   The attacker counts on the fact property that:
   
                      If x=r^e mod n, Then r=x^d mod n
                                      
   The attacker then gets the target to sign y with her private-key,
   (which actually decrypts y) and sends u=y^d mod n to the attacker. The
   attacker simply computes:
   
    tu mod n = (r^-1)(y^d) mod n = (r^-1)(x^d)(c^d) mod n = (c^d) mod n
                                    = m
                                      
   To foil this attack do not sign some random document presented to you.
   Sign a one-way hash of the message instead.
 
     _________________________________________________________________
                                      
   HTML 3.2 Checked!
   Last modified: 19 Nov 1996
   Author: infiNity <[email protected]>
   Comments: [email protected]
   This document was generated with Orb v1.3 for OS/2.