Re: RSA padding questions

Joseph Ashwood wrote:

assume a plaintext of 'm1', encrypted using RSA and standard OAEP
padding, to produce a ciphertext 'c'


is it possible to construct a different padding system, so that a
different plaintext 'm2',
encrypted with the same RSA key, but with the new padding,
still produces the same ciphertext 'c' ?

It's always possible to do that, just don't know why you'd really want to,
it would be extremely insecure. You're talking about steganography, the
problem is that with stego there is a basic assumption that they don't know
there is a (second) message, here they know.

Thanks, for answering,

(btw,
sometimes, (here in sci.crypt), i don't know what to make of a ' no
answer ' ...

as i take pains to avoid trolling or flaming,
a ' no answer' sort of feels like:

" it' really too obvious to explain without making you feel stupid,
and you really didn't post anything deserving of an rtfm/stfw
brush-off,
so maybe it's best just not to answer ... "

so, just for the record,

i * appreciate and am thankful for *
any answers that help me learn,
even if accompanied by ' flames of frustration ' ;-) )

ok,
that said,


i don't understand why a second message would be detectable,
if:

(a) a secure, non-OAEP padding is used,
and kept padding method kept secret between the correspondents,

(b) m1 is meaningful (decoy) plaintext


but,

if what you are saying,
is that the only way that this could be done, is to have m1 be
gibberish plaintext,
easily distinguishable from ciphertext,
then i agree,
it wouldn't be an effective stego channel

( but if it ' could ' be done,
then it would approach the Holy Grail of stego,
in providing a zero-distortion carrier channel,
plausibly deniable,
as well as providing the attackers with
false confidence and useful dis-information )


TIA,

vedaal

.

Relevant Pages

  • Re: Removing extra padding.
    ... While Encrypting a file the original data gets padded as per the ... I remove this extra padding in the output, ... the length of the plaintext and then pad, ... then starting from the first byte count left through the ciphertext until ...
    (sci.crypt)
  • Re: AES encryption with Java
    ... There is at least one padding byte. ... I'm pretty sure that if you encrypt plaintext that is 16 ... bytes long you should receive ciphertext that is 16 bytes long. ... I'm encrypting 16 byte plaintext and ending up with 32 byte ...
    (comp.lang.java.security)
  • Re: Encryption using System.Security.Cryptography
    ... Since the first plaintext block doesn't have a preceeding encrypted block, ... Where ct1...3 are the resulting ciphertext blocks. ... >Subject: Re: Encryption using System.Security.Cryptography ... >the Padding property of the Rijndael class). ...
    (microsoft.public.dotnet.security)
  • RSA // linking plaintext to ciphertext
    ... >> the plaintext), ... >> ciphertext, ... which is not not the same as the known ciphertext when padding is ... even if encrypt, then sign or sign&encrypt, is used, ...
    (sci.crypt)
  • Re: RSA padding questions
    ... and kept padding method kept secret between the correspondents, ... m1 is meaningful plaintext ... be a carrier until "alternative methods" show otherwise. ...
    (sci.crypt)