Prev: On the general benefits of introducing dynamics into encryptionprocessing
Next: Call for participants
From: Skybuck Flying on 7 May 2010 02:36
Hmm here some links to possible attacks:

This attack mentions a small M is dangerous... those if I were to hash the
message then this would create a small M' which could be dangerous... so
maybe after hashing some padding is required ?:

(I didn't fully read it, just the attack against signatures part:)

http://www.dtc.umn.edu/~odlyzko/doc/index.calculation.rsa.pdf

(I did read this though, attack against small e, which shouldn't effect my
software since it uses big e):

(Link below mentions "stuff" added after M or in between:)

http://www.links.org/?p=136

Just two links which quickly popped up in google... many more though...
slightly worrieing ;) :)

Bye,
Skybuck.


From: Skybuck Flying on 7 May 2010 02:56
This is also an interesting link, describes many attacks, solutions, and
attacks against the solutions and hopefully finally some more solutions ;)
:):

http://www.jscoron.fr/cours/mics3crypto/m3.pdf

Reading it now... ;) :)

(I found it by googling: "How to implement RSA signatures securely" ;) :)

Bye,
Skybuck :)


From: unruh on 7 May 2010 11:07
On 2010-05-07, Skybuck Flying <IntoTheFuture(a)hotmail.com> wrote:
> Hello,
>
> I was thinking about using RSA for it's signature capabilities... it's
> important that messages are signed... the messages themselfes can be out in
> the open... so encryption/decryption is not really needed and could actually
> make it less secure for small messages and require extra work for padding.
>
> I skimmed over this document for digital signatures, which mentions "plain"
> rsa signatures are kinda weak ?!?:
>
> http://en.wikipedia.org/wiki/Digital_signature

You did not read very well. The next sentence is

"As noted earlier, this basic scheme is not very secure. To prevent
attacks, one can first apply a cryptographic hash function to the
message m and then apply the RSA algorithm described above to the
result. This approach can be proven secure in the so-called random
oracle model."

Note that is what signature software actually does.


>
> And also this document for RSA which mentions the padding:
>
> http://en.wikipedia.org/wiki/RSA
>
> What I really want is "digital signatures" for people to use, so that they
> can identify themselfes as being the same/true/real source of many messages.

Yes. If you expect them to actually do the modular arithmetic by hand,
noone will do it. HOwever if you use software, the software itself can
take care of things like padding, etc.


>
> So I wonder what the best/strongest digital signature algorithm is ?
>
> Any idea's ?!?
>
> Bye,
> Skybuck.

If someone could mimic someone else, could they make more than $1000000?
If not, I would not worry. If they could then you might want to do more
research.
The best/strongest signature is to make sure that the person himself is
standing in front of you when he delivers the message. Now that might be
too expensive for your purposes. Ie, asking for the "stongest" is silly
without telling us what costs you are willing to bear to impliment it.

>
>
>
From: unruh on 7 May 2010 11:10
On 2010-05-07, Skybuck Flying <IntoTheFuture(a)hotmail.com> wrote:
>
> "Scott Contini" <the_great_contini(a)yahoo.com> wrote in message
> news:a7098064-a341-47da-b432-aaa9819d4deb(a)r21g2000prr.googlegroups.com...
> On May 7, 2:33 pm, "Skybuck Flying" <IntoTheFut...(a)hotmail.com> wrote:
>> Hello,
>>
>> I was thinking about using RSA for it's signature capabilities... it's
>> important that messages are signed... the messages themselfes can be out
>> in
>> the open... so encryption/decryption is not really needed and could
>> actually
>> make it less secure for small messages and require extra work for padding.
>>
>> I skimmed over this document for digital signatures, which mentions
>> "plain"
>> rsa signatures are kinda weak ?!?:
>>
>> http://en.wikipedia.org/wiki/Digital_signature
>>
>> And also this document for RSA which mentions the padding:
>>
>> http://en.wikipedia.org/wiki/RSA
>>
>> What I really want is "digital signatures" for people to use, so that they
>> can identify themselfes as being the same/true/real source of many
>> messages.
>>
>> So I wonder what the best/strongest digital signature algorithm is ?
>>
>> Any idea's ?!?
>>
>> Bye,
>> Skybuck.
>
>
> "
> RSA Signatures are weak if you don't use proper padding.
> But if you do padding as in the PKCS standard, then I
> think there are no known weaknesses to it.
> "
>
> Some quotes from the above links which I wonder about:
>
> 'and "plain" RSA signatures are not secure'
>
> What is ment with "plain" in this regard ? Do they mean unpadded messages ?
> or non-hashed messages ? or something totally different ?
>
> Later it goes on:
>
> 'As noted earlier, this basic scheme is not very secure. To prevent attacks,
> one can first apply a cryptographic hash function to the message m and then
> apply the RSA algorithm described above to the result. This approach can be
> proven secure in the so-called random oracle model.'
>
> I have a question:
>
> If a hash function is used on M does M still need to be padded to a "safe
> message length " ? and what would be a safe message length ?

The hash must be padded to the length of the N the public modulus.
(1024 bits or 128 bytes in the case of 1024 bit RSA)

>
> (They lost me on the random oracle model.. :))
>
> Bye,
> Skybuck.
>
>
From: unruh on 7 May 2010 11:19
On 2010-05-07, Skybuck Flying <IntoTheFuture(a)hotmail.com> wrote:
> Hmmm,
>
> I am interested in these two algorithms, which I am going to read up on ;)
>
> http://en.wikipedia.org/wiki/Lamport_signature
>
> http://en.wikipedia.org/wiki/Merkle_signature_scheme
>
> I already wrote a merkle hash tree once and it was a fun algorithm.
>
> I am not yet sure how it's used for digital signatures so I am going to read
> up on that ! ;)
>
> RSA seems to weak and pretty damn complex.

RSA is NOT weak. And is trivial as far as complexity is concerned.
It certainly is far less complex than is a "mekle hash tree"
If you are planning on writing the signing software, you are like the
lawyer who defends himself.
Use standard software.


>
> DSA seems to have the possibility of secret channel information which
> worries me.
>
> Both RSA and DSA are based on primes and factorization and such which might
> be broken by quantum computers which already exist and could become more
> powerfull soon.

YOu know you are a perfect example of someone with a little knowledge.
YOur worries are idotic I am afraid.

>
> According to the weblinks above lamport, hashes and merkle tree's would be
> more secure against quantum computers.. if that's really true remains to be
> seen but it's kinda interesting.
>
> It also allows me to re-use tiger hash algorithm and maybe implement the
> merkle tree myself so I don't have to be worried about code issue's ?! ;) :)

Sheesh. The ability of people to think that their own incompetence will
overcome theoretical problems is astonishing. When yo fly a plane do you
rush up to the cockpit and shoulder aside the pilot so that you can fly
the plane?


>
> I am not yet sure if merkle tree's/hashes are efficient... but so far I
> think the top root needs to be sent over... I am not sure what else...
> that's what I need to read up upon... also a new algorithm: lamport which
> also seems kinda interesting ;)

By all means read and learn. But if you try to impliment for some
practical project I hope you get fired. You will be a real danger to anyone
you are around.

>
> Bye,
> Skybuck.
>
>
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: On the general benefits of introducing dynamics into encryptionprocessing
Next: Call for participants