Re: Thoughts on 15 day CJ crypto
In article <94Dec16.08.5320@qualcomm.com>, you write: |> So it's possible the RSA requirement is in there to provide an |> assurance that the right key was selected. Isn't it common practice to pad out a plaintext block with random garbage to the size of the modulus before you RSA-encrypt it? E.g., if you have an 8-byte DES key and you want to encrypt it with an RSA public key having a 512-bit modulus, you'd stick 56 bytes of random stuff in front of the DES key before you do the exponentiation. When you decrypt with the secret key, you simply throw away the random padding. At least RSAREF does this. Wouldn't this thwart the kind of attack you describe? Phil
From: Phil Karn <karn@unix.ka9q.ampr.org> Isn't it common practice to pad out a plaintext block with random garbage to the size of the modulus before you RSA-encrypt it? [...] Wouldn't this thwart the kind of attack you describe? It would, but not having ever applied for a 15-day CJ, I can't speak to the details of what the implementations actually do. Perhaps they permit random padding, perhaps not. It's certainly possible that the padding is required to be fixed; that certainly in the style of NSA 'requests' for 'features'. Can anybody here shed some light on the subject? Eric
participants (2)
-
eric@remailer.net -
Phil Karn