Re: Problem with RSACryptoServiceProvider ( incorrect usage of public-private keys ? )
From: Valery Pryamikov (valery_at_harper.no)
Date: 03/28/05
- Next message: Deepak: "X.509 certificates and httpwebrequest"
- Previous message: Natan: "Re: Windows Authentication question"
- In reply to: Linas Kricenas: "Problem with RSACryptoServiceProvider ( incorrect usage of public-private keys ? )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Mar 2005 19:54:16 +0200
A couple of other corrections:
"Linas Kricenas" <kricen@hotmail.com> wrote
> As far as I understand, only the following situations must be possible in
> public-private key encryption:
> 1) encrypt_with_public / decrypt_with_private
> 2) encrypt_with_private / decrypt_with_public
>
this is actually incorrect. Two main operations supported by public key
cryptosystems are:
- encryption;
- digital signatures;
encryption assumes using of public key for encrypting information and
private key for decrypting information.
Digital signatures assumes use of private key for signing transformation and
use of public key for signature validation.
Some public key cryptosystems allows signatures with message recovery (raw
RSA - i.e. RSA trapdoor permutation with private key applied to plain text
message). That message recovery is what you call decrypt with public key
operation. Problem with using RAW RSA encryption (or RAW RSA signature with
message recovery) is that RAW RSA IS BROKEN DEAD. If someone says you
otherwise it could be either due to insufficient knowledge of subject or
because of misuse of RSA acronym for naming many different things:
- RSA trapdoor permutation, which is one of the most important cryptographic
primitives and is very well indeed;
- raw RSA encryption system as it was described in the paper by Rivest,
Shamir, Adleman in 1977. i.e. using RSA trapdoor permutation on non padding
messages. This is drop dead long ago due to many terrible weaknesses that
were found since RSA invention.
- OAEP RSA - is very well and is provably secure.
- PKCS 1.5 RSA is quite well, even so not provably secure, and is subject to
several attacks (like Bleichenbacher's attack on RSA PKCS 1.5 reporting
padding errors back to adversary)
- RSA signature with prefix (i.e. message hash encrypted with private key).
This is very well and if we assume that hash provides us with specific
properties (behaves as random oracle) - RSA signature on such hash is
provably secure.
A number of attacks on raw RSA is so big that the are only two ways of
keeping your system safe against these attack is to use non-broken RSA
mode - or be really very proficient within the field (at least a couple of
decades), know all the attacks, how they could apply to your use of RSA
trapdoor permutation and make sure that your system is protected against
them. If I speak for me - I know that I don't qualify for the last - so I
stick to the first and only use schemes that are proven to be secure.
-Valery.
http://www.harper.no/valery
- Next message: Deepak: "X.509 certificates and httpwebrequest"
- Previous message: Natan: "Re: Windows Authentication question"
- In reply to: Linas Kricenas: "Problem with RSACryptoServiceProvider ( incorrect usage of public-private keys ? )"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
