On a related note, should encrypting remailers have the keys changed regularly? The RSA-IDEA combination isn't very suspectible to known plaintext attacks, right?
Right. There are two sets of encryption used in the RSA-IDEA combo: 1) RSA, encrypting a random session key with a public-key algorithm. By definition, RSA-like public key algorithms can easily have known or chosen plaintext generated, since you can encrypt anything you like. RSA isn't susceptible to known-plaintext (except for verifying that a (presumably stolen) private key is correct, or by factoring very large numbers of very large prime numbers and checking them, which is computationally infeasible), and any other public key system that *were* susceptible to known-plaintext attacks wouldn't be very useful. Major breakthroughs in factoring theory could always change this, earning mathematical fame and fortune for the discoverer. Short RSA keys can be factored; you're better off with 1024-bit keys or longer for anything you're real serious about. 2) IDEA, encrypting the message itself using the session key. IDEA is not known to be susceptible to anything better than brute force, so known-plaintext attacks require trying 2**128 keys, which is computationally infeasible. Perhaps someone can find a hole in IDEA, but there's nothing major at present. 3) There's a third component that might use encryption - generating the "random" session key. Obviously, if you use the same session key to send different messages to different people, they might notice. If you use different session keys to send messages to people, but the session keys are easily derived from each other, and one recipient notices the pattern from several messages sent to him, he might try guessing the key for the next messages you send to other people. So use a genuine high-quality random number generator. There is one more special case, which is sending the same message to multiple recipients, with the message encrypted once with the session key, and multiple versions of the session key encrypted with each different recipient's public key. I've forgotten the details, but if there are more than e recipients, it's possible to crack this. (e is the encryption exponent, typically 3 or 17.) That's why PGP and other well-designed systems will pad the session key with random stuff before encrypting with RSA (which is an essentially free operation, since the RSA blocksize is much larger than the session key for IDEA.) Bill