RSA question
Bill Stewart
bill.stewart at pobox.com
Wed Sep 1 02:27:39 EDT 2010
At 09:20 AM 8/31/2010, Justin Ferguson wrote:
>Hi,
>
>Correct me if I am wrong, but my understanding is that the padding
>scheme is the only thing that keeps the ciphertext from being
>deterministic. Thus without it, the attacker could generate
>ciphertexts until their ciphertext matched the real one. My question
>is mostly how much does the lack of/determinism in padding help the
>attacker? Or is this the same as more or less brute forcing with the
>padding?
In a typical RSA encryption application, the message that's encrypted with
RSA is a secret session key used by a symmetric-key algorithm, so it's
going to be 112/128/192/256 bits of pure randomness, which then get used
with 3DES or AES to encrypt the actual message. It's possible that under
some conditions, trying to brute-force the RSA is more efficient than
simply brute-forcing the symmetric key, or that you might be able to use it
to help that process (e.g. if AESDecrypt(Cyphertext, Symmetric Key Kn)
produces ASCII, you could check whether RSA(Pubkey, Symmetric Key Kn) gives
you the RSA cyphertext. But usually it's not very helpful.
On the other hand, if you're using RSA to encrypt the actual end-user
message, and that message is from a small restricted set, it's a different
problem.
Or if you're using RSA to encrypt a Symmetric Key, but that key is a hash
of a passphrase instead of pure random bits, then maybe you could
brute-force the passphrase.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list