[Cryptography] Why RSA-PSS is much less secure than PKCS #1 v1.5
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Nov 12 02:29:37 EST 2019
Thierry Moreau <thierry.moreau at connotech.com> writes:
>What is the relevance of a side-channel vulnerability for signature
>*validation* which handles only public data?
Sure, good point. However given the general concern about side-channel
protection (I know of at least one crypto library that implement side-channel
protection in the public-key ops, just in case someone finds something to
exploit there), designing a scheme that makes it essentially impossible to
create a non-side-channeled implementation is kinda bad.
>P.S. Do we have an ASN.1 Org Id for CRC-256 hash algorithm?
We do now:
crc256 OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 3029 3 1 }
xor256 OBJECT IDENTIFIER ::= { 1 3 6 1 4 1 3029 3 2 }
I prefer xor256 because you can create completely standard messages with the
same hash value as the intended target, without having to stuff in a few bytes
of binary data as for the CRC. If I get time over the weekend, and I can find
a CMS message signed with RSA-PSS, I'll create a forgery using xor256.
Peter.
More information about the cryptography
mailing list