From: fc@all.net (Dr. Frederick B. Cohen)
To: hfinney@shell.portal.com (Hal)
Message Hash: 360852fe68b55bf0764a6b6c09c42db49da941f77a5d475a80fc7b6cdc4b90b0
Message ID: <9510191529.AA15811@all.net>
Reply To: <199510191427.HAA10783@jobe.shell.portal.com>
UTC Datetime: 1995-10-19 15:32:30 UTC
Raw Date: Thu, 19 Oct 95 08:32:30 PDT
From: fc@all.net (Dr. Frederick B. Cohen)
Date: Thu, 19 Oct 95 08:32:30 PDT
To: hfinney@shell.portal.com (Hal)
Subject: Re: 50 attacks... [NOISE]
In-Reply-To: <199510191427.HAA10783@jobe.shell.portal.com>
Message-ID: <9510191529.AA15811@all.net>
MIME-Version: 1.0
Content-Type: text
> fc@all.net (Dr. Frederick B. Cohen) writes:
> >3 - I would have figured at least one of you would have looked up the
> >chosen plaintext attack and told me why Netscape keys can't be gotten
> >at this way. I think there's an off change I could win a grand!
>
> I had missed this in your original posting. Here it is again:
>
> > Concept 3 - There is a chosen plaintext attack against the RSA (published
> > in the 1980s in a Crypto conference (IACR?).
> >
> > Attack 50 - Use your Hot Java capability to sign selected
> > message after message till the attacker derives your private key.
> > I think this takes one or two messages per bit of private key.
>
> Chosen plaintext attacks against RSA don't work in the context of RSA
> signatures, because the input to the RSA algorithm is a hash of the
> message being signed. You can't control the hash the way you need to to
> implement a chosen plaintext attack. (You can't "choose" the hash.)
>
> For example, one kind of chosen plaintext attack would be to get an RSA
> signature on 2, on 3, on 5, on 7, and so on, on all the primes. This
> would let you create an RSA signature on any number by factoring the
> number and multiplying the RSA signatures of its prime factors. But
> there is no way to do this in practice because as RSA-based signatures
> are actually implemented only hashes are signed. This is done exactly to
> prevent this and similar attacks.
And how secure is the hash? It it possible to create values that will
hash to each prime (or something else that does the job)? Is the hash
something we can figure a way to precompute using massively parallel
processing so that we can then provide a set of codes which will produce
the desired results? (etc.)
--
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Return to October 1995
Return to “Laurent Demailly <dl@hplyot.obspm.fr>”