Re: RSACryptoServiceProvider minimum key-length

From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Mar 2007 13:25:41 +0000 (UTC)

cool - problem "solved" :P

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

hi,

FYI: we are now using a third-party .net lib
(http://www.cryptosys.net/ pki/) which alllows us to use the required
key length. seems to work fine...

br, pingram.

On 13 Mrz., 16:44, "Valery Pryamikov" <val...@xxxxxxxxx> wrote:

On Mar 13, 7:45 am, "Joe Kaplan"

<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:

It sounds like you are out of luck then. Like Valery said, this key
is so insecure as to be useless and is not supported by .NET
cryptography. I'm not sure what options you have. Perhaps an
alternate crypto API for .NET supports such weak keys.

I'd suggest pushing back on the spec or looking for different
options.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net

Thanks Joe for warm wellcomeback :D.

As about available options for the original poster - the best one
would be to fire the person that did the spec because this kind of
ignorance is really depressive. Person knows nothing about
cryptography, but consider him/her self capable of writting crypto/
security spec.
As I understand - all they wanted is to have a short authentication
code. I'm not even sure that they needed signature as authentication
code, but even for that - there are short signatures available that
simultaneously provide good security bounds. But if they only need
authentication code - they could simply use MAC (or HMAC).
-Valeryhttp://www.harper.no/valery

References:
- Re: RSACryptoServiceProvider minimum key-length
  - From: wip

Prev by Date: Re: WindowsIdentity - Invalid token; it cannot be duplicated
Next by Date: Re: Windows authendicate
Previous by thread: Re: RSACryptoServiceProvider minimum key-length
Next by thread: Windows authendicate
Index(es):
- Date
- Thread

Relevant Pages

Re: RSACryptoServiceProvider minimum key-length
... pki/) which alllows us to use the required key length. ... insecure as to be useless and is not supported by .NET cryptography. ... As I understand - all they wanted is to have a short authentication ... I'm not even sure that they needed signature as authentication ...
(microsoft.public.dotnet.security)
Re: RSACryptoServiceProvider minimum key-length
... On Mar 13, 7:45 am, "Joe Kaplan" ... insecure as to be useless and is not supported by .NET cryptography. ... I'd suggest pushing back on the spec or looking for different options. ... As I understand - all they wanted is to have a short authentication ...
(microsoft.public.dotnet.security)
Re: Does OTP need authentication?
... >> You are attending the FSE crypto conference in New Delhi. ... > scenario provided both message integrity and message authentication. ... This is true of all cryptography, whether symmetric-key, ... Data origin authentication is a type of authentication ...
(sci.crypt)
Re: Cryptography opinions
... cryptography in general is authentication. ... Secure communications, bundled with secure authentication means, are the ... access networks, ...
(sci.crypt)
Re: Security - ciphers - autentification
... I think you're heading down the wrong path, my friend. ... Cryptography), you need to define exactly what you're trying to protect, ... your description sounds like a reinvention of HTTP digest authentication, ... reason for avoiding established algorithms and protocols. ...
(SecProg)