Re: PGP scripting...

From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)
Date: Sun Jan 12 2003 - 12:23:53 PST

Next message: Michael McKay: "RE: PGP scripting..."

Previous message: Peter Jeremy: "Re: PGP scripting..."
In reply to: Jason Coombs: "RE: PGP scripting..."
Next in thread: David Wagner: "Re: PGP scripting..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 10 Jan 2003, The Amazing Dragon wrote:

> They've chosen to include more information than required in the private
> portion, and prevent you from swaping the two keys. These are not
> requirements of RSA though. Simply swap the "D" and "Exponent" portions,
> and the system will decrypt when it suposed to be encrypting and vice
> versa. Note that this new public/private pair is a perfectly valid RSA
> key pair.

Such a pair of keys would be functional but you might lose all security
when you swap the exponents.

For instance, a public exponent (e) is often a small number (for instance
2^16 + 1 is a popular value) and there are known attacks (e.g. Wiener's
attack and its improvement by Bohen and Durfee) against small values of
a private exponent (d).

On Fri, 10 Jan 2003, Jason Coombs wrote:

> Worst-case, if a private key contains only p and q in addition to d then the
> n portion of the public key is known, which leaves only e unknown but e is
> easily derived when p, q, d and n are known and you are in possession of a
> sample of the ciphertext produced using {e,n} -- thus anyone who possesses a
> private key can derive the corresponding public key if the public key is
> ever used to produce ciphertext.
> 
> The cryptanalysis would look something like this, based on reversing the key
> generation algorithm:

There is no cryptanalysis. You know p, q (and hence n = pq, and z =
\phi(n) = (p-1)(q-1)), and d. You compute e such that ed = 1 (mod z),
i.e. the modular inverse of d, the same way you would compute d from e
when generating a new key (using Euclid's algorithm). Game over.

The factorization of the modulus (n) must be kept secret by the owner of
the private key. In fact, p, q, or z do not have to be included in the
private key at all to make all the computations; implementors include them
for their own convenience (e.g. faster computation using CRT).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Next message: Michael McKay: "RE: PGP scripting..."
Previous message: Peter Jeremy: "Re: PGP scripting..."
In reply to: Jason Coombs: "RE: PGP scripting..."
Next in thread: David Wagner: "Re: PGP scripting..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jan 12 2003 - 19:33:03 PST