adding noise blob to data before signing
Derek Atkins
derek at ihtfp.com
Sat Aug 10 15:38:30 EDT 2002
Nomen Nescio <nobody at dizum.com> writes:
> Derek Atkins replied:
> > It depends on the signature algorithm. With RSA you can sign any
> > message "directly" if said message is smaller than the public key size
> > (N). DSA, however, requires the use of a hash.
>
> Actually, depending on the data being signed, it can be important to
> hash for RSA. After all, RSA is existentially forgeable: anyone can
> forge a signature on a *random* value (if C=M^e mod n, then M is a
> signature on C). They might be able to try some large number of sigs
> until they got a random value which looked enough like legitimate data
> to be accepted - especially possible if the 1kbit value being signed
> holds dense, random-ish binary data.
Let me be clear: I implied (but clearly I should have been explicit)
that PKCS#1 padding should be used, not "raw" RSA. The problem with
raw RSA is that you can combine multiple encryptions into new
encryptions. Using PKCS padding inside the RSA signature foils the
multiplication attack. So, sure, your message is can only be
N-(sizeof(pkcs#1)) bits, not N bits. However you still do not
need a hash.
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek at ihtfp.com www.ihtfp.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list