Re: PGP scripting...

From: Pavel Kankovsky (peakat_private)
Date: Sun Jan 12 2003 - 12:23:53 PST

  • Next message: Michael McKay: "RE: PGP scripting..."

    On Fri, 10 Jan 2003, The Amazing Dragon wrote:
    
    > They've chosen to include more information than required in the private
    > portion, and prevent you from swaping the two keys. These are not
    > requirements of RSA though. Simply swap the "D" and "Exponent" portions,
    > and the system will decrypt when it suposed to be encrypting and vice
    > versa. Note that this new public/private pair is a perfectly valid RSA
    > key pair.
    
    Such a pair of keys would be functional but you might lose all security
    when you swap the exponents.
    
    For instance, a public exponent (e) is often a small number (for instance
    2^16 + 1 is a popular value) and there are known attacks (e.g. Wiener's
    attack and its improvement by Bohen and Durfee) against small values of
    a private exponent (d).
    
    
    On Fri, 10 Jan 2003, Jason Coombs wrote:
    
    > Worst-case, if a private key contains only p and q in addition to d then the
    > n portion of the public key is known, which leaves only e unknown but e is
    > easily derived when p, q, d and n are known and you are in possession of a
    > sample of the ciphertext produced using {e,n} -- thus anyone who possesses a
    > private key can derive the corresponding public key if the public key is
    > ever used to produce ciphertext.
    > 
    > The cryptanalysis would look something like this, based on reversing the key
    > generation algorithm:
    
    There is no cryptanalysis. You know p, q (and hence n = pq, and z =
    \phi(n) = (p-1)(q-1)), and d. You compute e such that ed = 1 (mod z),
    i.e. the modular inverse of d, the same way you would compute d from e
    when generating a new key (using Euclid's algorithm). Game over.
    
    The factorization of the modulus (n) must be kept secret by the owner of
    the private key. In fact, p, q, or z do not have to be included in the
    private key at all to make all the computations; implementors include them
    for their own convenience (e.g. faster computation using CRT).
    
    
    --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."
    



    This archive was generated by hypermail 2b30 : Sun Jan 12 2003 - 19:33:03 PST