At 09:20 AM 8/31/2010, Justin Ferguson wrote:
Hi,
Correct me if I am wrong, but my understanding is that the padding
scheme is the only thing that keeps the ciphertext from being
deterministic. Thus without it, the attacker could generate
ciphertexts until their ciphertext matched the real one. My question
is mostly how much does the lack of/determinism in padding help the
attacker? Or is this the same as more or less brute forcing with the
padding?
In a typical RSA encryption application, the message that's encrypted with
RSA is a secret session key used by a symmetric-key algorithm, so it's
going to be 112/128/192/256 bits of pure randomness, which then get used
with 3DES or AES to encrypt the actual message. It's possible that under
some conditions, trying to brute-force the RSA is more efficient than
simply brute-forcing the symmetric key, or that you might be able to use it
to help that process (e.g. if AESDecrypt(Cyphertext, Symmetric Key Kn)
produces ASCII, you could check whether RSA(Pubkey, Symmetric Key Kn) gives
you the RSA cyphertext. But usually it's not very helpful.
On the other hand, if you're using RSA to encrypt the actual end-user
message, and that message is from a small restricted set, it's a different
problem.
Or if you're using RSA to encrypt a Symmetric Key, but that key is a hash
of a passphrase instead of pure random bits, then maybe you could
brute-force the passphrase.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com