RSA question

[Bill Stewart]

At 09:20 AM 8/31/2010, Justin Ferguson wrote:
>Hi,
>
>Correct me if I am wrong, but my understanding is that the padding
>scheme is the only thing that keeps the ciphertext from being
>deterministic. Thus without it, the attacker could generate
>ciphertexts until their ciphertext matched the real one. My question
>is mostly how much does the lack of/determinism in padding help the
>attacker? Or is this the same as more or less brute forcing with the
>padding?

In a typical RSA encryption application, the message that's encrypted with 
RSA is a secret session key used by a symmetric-key algorithm, so it's 
going to be 112/128/192/256 bits of pure randomness, which then get used 
with 3DES or AES to encrypt the actual message.   It's possible that under 
some conditions, trying to brute-force the RSA is more efficient than 
simply brute-forcing the symmetric key, or that you might be able to use it 
to help that process (e.g. if AESDecrypt(Cyphertext, Symmetric Key Kn) 
produces ASCII, you could check whether RSA(Pubkey, Symmetric Key Kn) gives 
you the RSA cyphertext.  But usually it's not very helpful.

On the other hand, if you're using RSA to encrypt the actual end-user 
message, and that message is from a small restricted set, it's a different 
problem.
Or if you're using RSA to encrypt a Symmetric Key, but that key is a hash 
of a passphrase instead of pure random bits, then maybe you could 
brute-force the passphrase.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com