> From: owner-openssl-us...@openssl.org On Behalf Of David Schwartz > Sent: Monday, 27 July, 2009 12:06
> Jeremy R. wrote: > > > Okay, forgive my ignorance, but isn't the most common way > of signing > > data simply taking a cryptographic hash (SHA-1, RIPEMD-160, > WHIRLPOOL, > > etc.) and then encrypting it with a public-key technology? > > Yes, that's the most common way. But it is not a general > property of public-key encryption. It just happens to be true > of RSA and RSA just happens to be popular. But you cannot > conclude automatically that a system has the properties of > its components. > For example, it's not true at all for DSA (aka DSS). And although in raw RSA encrypt/decrypt and sign/verify are mathematically equivalent, the common schemes built on RSA (PKCS1 type1 and PSS for sign, type2 and OAEP for encrypt) are different, so you can't just reuse the code. In addition to David Schwartz' concern about direct exposure of the pubkey, since PKC designs in general don't strive to protect it, RSA (pub)keys frequently have a small pubexpt since this is more efficient (public side doesn't know factors) and for usual uses it is exposed anyway. RSA keys generated by openssl do this, and so do many (most?) other common systems. Then only the modulus needs to be found to break your scheme. I don't think the amount of data Eve could feasibly collect is enough to do that, but IANAMathematician so get a real expert if you care. But if Mallory can detect any difference (even timing) for purported keytransfer OR signature values exceeding the modulus or not, he can determine the key in probably a few thousand probes. If you do your own generation with a fullsize random pubexpt, you might be safe, but pubkey=client operations will be MUCH slower for a large key (as you said you use), if that matters. Another idea: you're not using the benefit of PKC encryption (unknown to one). Why not just symm-encrypt the data? You could use (a hash of) the RSA pubkey and it would be efficient, but still at risk if the pubkey is exposed or analyzed. Alternatively if you (can) have other "secret" data in (or with) your client you can use that; it doesn't need to have a specific internal structure like RSA (or some other PKC) keys do. PS- the correct spelling for the attack on PKCS#1 type2 padding is Bleichenbacher, if you want to find out about it. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
