On Sun, 24 Aug 2008, Brian Dickson wrote: > Dean Anderson wrote: > > On Sun, 24 Aug 2008, Dean Anderson wrote: > > > > > >> Ok. But when you resign using arbitrary data controlled by the > >> attacker, the private key can be obtained. [There is a crypto attack on > >> rekeying] OOPS!!. Rekeying is out of the question for, say, .com, .net, > >> etc. I guess you didn't know that. > >> > > > > Correction: The above should say there is a crypto attack on re-SIGNing. > > ReKEYing is fine. Apologies for the confusion I just created. > > > > You say there is a crypto attack on re-signing. > > One using arbitrary data provided by the attacker - what is the > "arbitrary" data, as opposed to some other kind of data?
I don't think I can give the exact correct mathematics without using a book--and I don't have my crypto library right now--so I'll try to armwave a bit: Basically, if the attacker can pick a known-plaintext that corresponds to a large-prime, they can use the result and the public key to obtain the private key. This is consequence of modular arithmetic. I'm not entirely certain from memory if the plaintext has to be prime or if it can be a multiple of a prime. > (e.g. If the data being signed were limited to valid public key data > that might, for example, be possible to itself be validated before signing)? > > Can you provide a reference to back up this assertion? I think there is a description of this in Schier's book, or other books that describe security and insecurity of PKI depending on modular arithmetic, like RSA. If you still can't find it, let me know and I'll send you detailed reference tomorrow. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop