AW: [EMAIL PROTECTED]: Skype security evaluation]
-Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von cyphrpunk Gesendet: Freitag, 28. Oktober 2005 06:07 An: [EMAIL PROTECTED]; cryptography@metzdowd.com Betreff: Re: [EMAIL PROTECTED]: Skype security evaluation] Wasn't there a rumor last year that Skype didn't do any encryption padding, it just did a straight exponentiation of the plaintext? Would that be safe, if as the report suggests, the data being encrypted is 128 random bits (and assuming the encryption exponent is considerably bigger than 3)? Seems like it's probably OK. A bit risky perhaps to ride bareback like that but I don't see anything inherently fatal. There are results available on this issue: First, a paper by Boneh, Joux, and Nguyen Why Textbook ElGamal and RSA Encryption are Insecure, showing that you can essentially half the number of bits in the message, i.e. in this case the symmetric key transmitted. Second, it turns out that the tricky part is the implementation of the decryption side, where the straight-forward way -- ignoring the padding with 0s They are zeroes, aren't they? -- gives you a system that might be attacked in a chosen plaintext scenario very efficiently, obtaining the symmetric key. See my paper Side-Channel Attacks on Textbook RSA and ElGamal Encryption at PKC2003 for details. Hope this answers your question. Ulrich
AW: [EMAIL PROTECTED]: Skype security evaluation]
-Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von cyphrpunk Gesendet: Freitag, 28. Oktober 2005 06:07 An: [EMAIL PROTECTED]; cryptography@metzdowd.com Betreff: Re: [EMAIL PROTECTED]: Skype security evaluation] Wasn't there a rumor last year that Skype didn't do any encryption padding, it just did a straight exponentiation of the plaintext? Would that be safe, if as the report suggests, the data being encrypted is 128 random bits (and assuming the encryption exponent is considerably bigger than 3)? Seems like it's probably OK. A bit risky perhaps to ride bareback like that but I don't see anything inherently fatal. There are results available on this issue: First, a paper by Boneh, Joux, and Nguyen Why Textbook ElGamal and RSA Encryption are Insecure, showing that you can essentially half the number of bits in the message, i.e. in this case the symmetric key transmitted. Second, it turns out that the tricky part is the implementation of the decryption side, where the straight-forward way -- ignoring the padding with 0s They are zeroes, aren't they? -- gives you a system that might be attacked in a chosen plaintext scenario very efficiently, obtaining the symmetric key. See my paper Side-Channel Attacks on Textbook RSA and ElGamal Encryption at PKC2003 for details. Hope this answers your question. Ulrich
