[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: common modulus attack on RSA

To: ietf-openpgp@xxxxxxx, john.dlugosz@xxxxxxxxx
Subject: Re: common modulus attack on RSA
From: "Hal Finney" <hal@xxxxxxxxxx>
Date: Fri, 3 May 2002 09:50:20 -0700
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx

We already have a note relevant to this in section 5.1:

   Note that when an implementation forms several PKESKs with one
   session key, forming a message that can be decrypted by several keys,
   the implementation MUST make new PKCS-1 padding for each key.

This will ensure that the "m" value is different for each encryption key.
That will thwart the common modulus attack and some other possible
attacks.

Hal Finney


> From: John Dlugosz
>
> In "Applied Cryptography", page 472, Schneier warns against ever encrypting
> the same plaintext with two keys having the same n (but different e).
>
> Different public keys may indeed have a common n, either by chance, because
> of an implementation that reuses a small set of n, or a deliberate attack.
>
> The session key is encrypted to multiple public keys.
>
> Looking at section 5.1 of RFC2440, it appears that only the MPI of the
> RSA-encrypted value of m is used.  I'm supposing that m is much smaller
> than n, so the whole thing takes one "block" through RSA.
>
> The other values put into m (the algorithm and the  checksum) are the same,
> too, so m will be identical in every public-key encrypted session key
> packet.

Prev by Date: Re: common modulus attack on RSA
Next by Date: How do I do this with OpenPGP?
Previous by thread: Re: common modulus attack on RSA
Next by thread: How do I do this with OpenPGP?
Index(es):
- Date
- Thread