Dr S N Henson <[EMAIL PROTECTED]> writes:
> > RSA_eay_mod_exp (I assume that's the actual implementation of
> > rsa_mod_exp) doesn't check for computation errors (due to MPI library
> > bugs or random bit flipping). It probably should, because there's a
> > simple attack which recovers the private key if a miscomputed
> > signature is published.
> >
>
> Which attack are you referring to?
It's described in the following paper, in the RSA-CRT section:
| Boneh, D., DeMillo, A., and Lipton, R. (1997) On the Importance of
| checking cryptographic protocols for faults. In W. Funny (ed)
| Advances in Cryptology-Eurocrypt'97, Volume 1233 of Lecture Notes in
| Computer Science, pages 37-51, Springer-Verlag. Also available on the
| Web at http://theory.stanford.edu/~dabo/papers/faults.ps.gz.
> In any case RSA_eay_mod_exp() is called internally only after additional
> processing, such as block formatting is peformed.
Hmm, but the signature isn't verified, right? So that's not relevant.
--
Florian Weimer [EMAIL PROTECTED]
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
