On Sun, 24 Aug 2008, Brian Dickson wrote:
> Dean Anderson wrote:
> > On Sun, 24 Aug 2008, Dean Anderson wrote:
> >
> >
> >> Ok. But when you resign using arbitrary data controlled by the
> >> attacker, the private key can be obtained. [There is a crypto attack on
> >> rekeying] OOPS!!. Rekeying is out of the question for, say, .com, .net,
> >> etc. I guess you didn't know that.
> >>
> >
> > Correction: The above should say there is a crypto attack on re-SIGNing.
> > ReKEYing is fine. Apologies for the confusion I just created.
> >
>
> You say there is a crypto attack on re-signing.
>
> One using arbitrary data provided by the attacker - what is the
> "arbitrary" data, as opposed to some other kind of data?
I don't think I can give the exact correct mathematics without using a
book--and I don't have my crypto library right now--so I'll try to
armwave a bit:
Basically, if the attacker can pick a known-plaintext that corresponds
to a large-prime, they can use the result and the public key to obtain
the private key. This is consequence of modular arithmetic. I'm not
entirely certain from memory if the plaintext has to be prime or if it
can be a multiple of a prime.
> (e.g. If the data being signed were limited to valid public key data
> that might, for example, be possible to itself be validated before signing)?
>
> Can you provide a reference to back up this assertion?
I think there is a description of this in Schier's book, or other books
that describe security and insecurity of PKI depending on modular
arithmetic, like RSA. If you still can't find it, let me know and I'll
send you detailed reference tomorrow.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
