On 03/11/12 09:29, Peter Gutmann wrote:
In the past there have been a few proposals to use asymmetric cryptosystems,
typically RSA, like symmetric ones by keeping the public key secret, the idea
behind this being that if the public key isn't known then there isn't anything
for an attacker to factor or otherwise attack. Turns out that doing this
isn't secure:
http://eprint.iacr.org/2012/588
Breaking Public Keys - How to Determine an Unknown RSA Public Modulus
Hans-Joachim Knobloch
[...] We show that if the RSA cryptosystem is used in such a symmetric
application, it is possible to determine the public RSA modulus if the
public exponent is known and short, such as 3 or F4=65537, and two or more
plaintext/ciphertext (or, if RSA is used for signing, signed
value/signature) pairs are known.
I've actually encountered a practical application for this. If you
have an HSM that allows unwrapping of private keys but keeps the whole
result entirely secret, and want to implement PKCS#11 C_UnwrapKey and
allow the modulus and public exponent of the private key to be queried
through C_GetAttributeValue, and the user hasn't chosen to import the
matching public key, then you have to do something like this.
Or add a DerivePublicFromPrivate operation to the next release of the
HSM firmware, which also works for DH, DSA, ECDSA, KCDSA, etc. :-)
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
