Hello Scott,

At 03/02/03 21:50, Scott G. Kelly wrote:
I have a question regarding RSA encryption - forgive me if this seems
amateur-ish -, but 'm still a beginner. I seem to recall reading
somewhere that there is some issue with directly encrypting data with an
RSA public key, perhaps some vulnerability, but I can't find any
reference after a cursory look. Does anyone know of any issue with using
RSA encryption to encrypt a symmetric key under the target's public key
if the encrypted value is public (e.g. sent over a network)?

Sorry for the delayed response.

As mentioned in the other postings, there are several technical problems with doing the RSA encryption in its most simple fashion by exponentiation and MOD calculation alone. However, in addition to all that was said, please note the following two general problems with such an approach, which apply not just to RSA but to any other asymmetric encryption when done directly on the plaintext:

First, when encrypting a plain-text block as it is, with no random (or otherwise variable) padding, you are actually performing encryption in an ECB mode. The ECB (and other) modes of operation are known in block-cipher contexts, but the problems related to using ECB are reflected well when you perform simple block-by-block encryption using an asymmetric cipher as well. Of course, RSA uses block sizes that are much larger than the "regular" 64-bit or 128-bit block sizes, so code-book attacks are much harder to mount in comparison to code-book attacks on DES-ECB, but are still possible. So, simple block-by-block encryption using RSA (or any other asymmetric cipher), leads to the same vulnerabilities that are caused by simple block-by-block encryption with DES or other block ciphers, especially when it comes to code-book attacks.

Second, there is a big inherent quality of all asymmetric ciphers which is that encryption can be simulated (by an opponent). Here is a brief explanation: When using symmetric encryption, an opponent who does not have the key cannot simulate neither correct decryption nor correct encryption, which means that he has no way (assuming the cryptographic algorithm is strong) to guess the plain-text unless he can guess the key. The only possible avenue of attack is therefore by brute-forcing the key. With "simple" asymmetric encryption, however, the encryption process can be simulated (repeated) by the opponent, hence he can obtain knowledge of the plaintext either by brute-forcing the key or by brute-forcing the plaintext, which might often be easier to do (for example, if the plaintext is one of known choices, or can otherwise be guessed). So, if you encrypt plaintext that may be guessed easily, the attacker can simply mount a brute-force attack on the plaintext to find what it is.

Again, please note that these two are true not just for RSA, but for any other asymmetric cipher if implemented without salting (or otherwise wisely manipulating) the plaintext.

Hope this helps.


Hagai Bar-El - Information Security Analyst
Tel.: 972-8-9354152  Fax.: 972-8-9354152
E-mail: [EMAIL PROTECTED]  Web: www.hbarel.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to