Anton Stiglic wrote: >> >> - Should it do blinding for RSA signatures as well as RSA >> decryption? > > If you are a client, and you manually control the signature > generation (like you use PGP to sign email messages), I wouldn't > implement blinding. But if you are a server (or a client that > automatically responds to requests) that signs message for some > reason, and you receive many requests, I would.
The way I understand the attack, you have to throw a million specially-chosen guesses at the server, which it will blindly attempt to decrypt and use. Basically, you're getting the server to decrypt chosen ciphertext for you. I don't see how the attack can apply to signatures, where the server itself is formatting the data to be signed. Unless the server is just directly signing (RSA-encrypting) arbitrary client-supplied data, but that's a no-no anyway. This is slightly more than theoretical, as OCSP servers do nothing but emit signed responses. An OCSP client can only indirectly influence some of the data that a server signs, and so it seems very difficult to pull off the attack. M. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]