Dr S N Henson <[EMAIL PROTECTED]> writes:
> If the other components are present then a more efficient version of the
> algorithm can be used (typically twice as fast) using rsa_mod_exp. This
> is the Chinese remainder theorem (CRT) version.
RSA_eay_mod_exp (I assume that's the actual implementation of
rsa_mod_exp) doesn't check for computation errors (due to MPI library
bugs or random bit flipping). It probably should, because there's a
simple attack which recovers the private key if a miscomputed
signature is published.
--
Florian Weimer [EMAIL PROTECTED]
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
