Are there any known vulnerabilities associated with an attacker who can provide plaintext and receive a signature for it? I'm planning a simple computer-auth system where a client sends a random token to the server, and then the server signs and returns it to prove that the server has the private key. I'm wondering if a malicious client could provide a certain plain text such it could learn something about the private key based on the returned signature.
Similar attacks have happened on the APOP authentication scheme which uses md5: a fake server presents a token to the client which gets hashed with the client's password and sent back: by using certain tokens, the server is able to drastically narrow down the range of a brute force attack on the password, and after several such attacks, people have actually been able to recover the first few characters of the password. So now I'm wondering if any similar vulnerability is known for OpenPGP signatures. Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
