[42169] in cryptography@c2.net mail archive
Re: Raw RSA
daemon@ATHENA.MIT.EDU (Alexander Klimov)
Mon Sep 11 08:17:31 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 10 Sep 2006 23:36:38 +0300 (IDT)
From: Alexander Klimov <alserkli@inbox.ru>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <45033C61.3000808@echeque.com>
On Sun, 10 Sep 2006, James A. Donald wrote:
> Could you describe this attack in more detail. I do not see a
> scenario where it would be useful.
Suppose that an attacker runs an activex control on the user's
computer and the control is able to ask a smart card connected to the
computer to perform raw RSA operations with user's private key. The
goal of the attacker is to be able to sign some useful messages with
the user's private key *after* the user disconnect his smart card.
> The attacker can encrypt a subset of numbers - those that encrypt to
> a B smooth number, but for this to be useful to him, he has to find
> a number in the subset set that corresponds to what he desires to
> encrypt, which looks like a very long brute force search.
If the attacker needs to sign a message x, he needs to find a smooth
number y = x + k n, where n is the RSA modulus and k is some arbitrary
number. I forgot what was the algorithm to find such y (I am not even
sure that it exists), IIRC, it was based on LLL.
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
