Anton Stiglic wrote:
>> - Should it do blinding for RSA signatures as well as RSA 
>> decryption?
> If you are a client, and you manually control the signature 
> generation (like you use PGP to sign email messages), I wouldn't 
> implement blinding. But if you are a server (or a client that 
> automatically responds to requests) that signs message for some 
> reason, and you receive many requests, I would.

The way I understand the attack, you have to throw a million
specially-chosen guesses at the server, which it will blindly attempt to
decrypt and use.  Basically, you're getting the server to decrypt chosen
ciphertext for you.

I don't see how the attack can apply to signatures, where the server
itself is formatting the data to be signed.  Unless the server is just
directly signing (RSA-encrypting) arbitrary client-supplied data, but
that's a no-no anyway.

This is slightly more than theoretical, as OCSP servers do nothing but
emit signed responses.  An OCSP client can only indirectly influence
some of the data that a server signs, and so it seems very difficult to
pull off the attack.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to