Re: gnupg / rsa padding question

vedaal wrote: 
using rsa, assuming N=4096, e=65537

how large must the padding be to maintain security against a known
plaintext attack?

I think the original OAEP paper addresses that. See http://www.cs.ucdavis.edu/~rogaway/papers/oaep-abstract.html.


specifically, with regard to gnupg/pgp messages done with a 4k rsa key,
and a 256 bit symmetric algorithm,
the session key is a string of 64 characters,  composed of  { 0,1, ...
, 9, A, B, ... , F }

if the padding added to the session key, is a large string,
then,
how much of that string can be used as a steganographic channel to
contain an additional message, and still maintain enough padding to
keep the entire message secure?

If you don't want to mess with the session key itself, then your answer is the maximum length "message" under OAEP, minus the length of the session key.

i.e.
the minimal p'  so that ( k + m + p' )  =  ( k + p )
where
  k == session key
  p == quantity of padding currently typically used when encrypting a
session key to a 4096 rsa key
  p' == minimal amount of padding really necessary for securely
encrypting to the same 4096 rsa key
  m == message string added along with new minimal amount of padding,
so that what is being encrypted to the 4096 rsa key remains the same
size, and indistinguishable, from a typical session key that would be
encrypted to the same key


if ( p' ) is small enough to allow for an ( m ) large enough to encode
a detailed communication,
then this could be utilized for a practical and undetecable,
steganographic channel in gnupg,
with good plausible deniability.
...


--Mike Amling
.

Relevant Pages

  • gnupg / rsa padding question
    ... how large must the padding be to maintain security against a known ... specifically, with regard to gnupg/pgp messages done with a 4k rsa key, ... encrypting to the same 4096 rsa key ... Bob using the following gnupg command: ...
    (sci.crypt)
  • Re: gnupg / rsa padding question
    ... >> how large must the padding be to maintain security against a known ... >> specifically, with regard to gnupg/pgp messages done with a 4k rsa key, ... public key needs a message to encrypt of 1023 bits at least. ... Of course if someone can decrypt the M then have the session key and can ...
    (sci.crypt)
  • Re: forcing key reexchange after every 1kb?
    ... thought that the data that consumes window space alone should be ... is to avoid encrypting too much data with the same session key, ... And technically, yes, the rekey packets themselves are encrypted ...
    (comp.security.ssh)
  • Re: RijndaelManaged problem...
    ... If you wish to pad with zeros, the temporary workaround is to do the padding ... is not a multiple of the block size (which it does in Everett). ... > Encrypting 27 bytes ...
    (microsoft.public.dotnet.security)
  • Re: Removing extra padding.
    ... While Encrypting a file the original data gets padded as per the ... I remove this extra padding in the output, ... in bits of the padded message becomes congruent to 448, modulo 512. ... This method can only be used to pad messages which are a whole number ...
    (sci.crypt)