Jan Zoellner wrote:
> At 15.02.01 13:04, you wrote:
> >point of using RSA if not ?, so I will insist once again on the fact that you
> >SHOULDN'T do that.
>
> I reimplemented the whole thing to be padded with random data (which are
> discarded upon decryption). PKCS#1 padding is worse than that, if I
> interpret the source correctly.
It sounds much better.
> >If your protocol _ever_ sends the same data block to two different
> >recipients, you are dead and buried.
>
> Different recipients don´t matter: The data is privately encrypted and can
> be read by many recipients, all having posession of the same public key.
> (Symmetric or hybrid cryptography is not applicable.) Data is never sent to
> different recipients, as there is only one (at least from the viewpoint of used
> keys).
You are right, I spoke a bit too fast.
What's more, the attack I was refering to, as someone made me notice already,
requires "e" messages, not 2, so it's more difficult to do if you use a large e,
like 65535.
I remembered how I was told of an actual implementation, not using padding, that
could be broke this way very easily, but it sounds like it used e=3.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
