On Mon, Sep 01, 2008 at 04:42:25PM -0700, Andrew Lentvorski wrote:
However, if *time* is the only thing that changes, is that enough? My gut feel is that there might be some attack, but maybe not. Most encryption algorithms shuffle bits sufficiently well that even small changes propagate to large differences.
It's certainly important to make sure the value signed has data in the upper bits, at least so that the result of the exponent is significantly larger than the modulus. These can be filled with even poor random numbers. I have read of some RSA attacks with chosen plaintext.
So, the question is, is there a "known small plaintext" attack against digital signatures.
Even a fairly poor pseudo-random source should keep it from being a known small plaintext. It'll still be known, since the public key is known, but at least not a chown plaintext.
And is there any way to use AES for public-key digital signatures? The question is asked since these chips have an AES engine on them.
I'm not aware of anything without a third party. AES-mac could be used to keep the thing we're signing from being too predictable, though. Something like, for a given counter n, use AES counter mode to generate enough random bits to be just less than the RSA modulus size. Place the plaintext of the counter at a specific location in it (probably best to not have it as the lowest bits, not sure about the highest bits). Then sign the whole thing, and have the button on the fob 'type' this in in base-64 or something like that. David -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
