Hello, >I just want to store some authentication data - a username, group and >date - on a "token", which only offers a passive storage (116 byte >EEPROM) without any cryptografic functions, to save a secret >(normally a private key) from outside access. So this authentication >data must be encrypted to prevent unauthorized modification, because >every - maybe unauthorized - person can read and write on this >"token". Maybe I do not understand this correctly, but if you want to encrypt some data with RSA 1024 bit key then you will get 128 bytes of output ciphertext. It is not important what padding scheme you will use (or even no padding at all) you should get 128 bytes output from modular exponentation process. So you will not be able to store this on your token. Or I really miss something :-) >This "token" should used for a two-factor-autentication >process with an additional password or pin. So, I want to use one >private RSA key the centrally sign this data. Decentral, I intend to >verify the RSA signature with the concerning public key. Is the >verification process successfully done, than the information stored >on the token are valid. Ok, but in this case token can be copied without problem. In general this works like mini-certificate but so called certificate authentication requires not only certificate but corresponding private key too. Verification process must prove that peer has secret private key and then information from certificate is checked. Or maybe token has some unique information (like serial number stored in not writable memory) which can be inserted in user authentication data (which is signed) to limit copying.
>The problem is that deterministic encryption methods (like RSA) >offers the possibility of an {known, choosen}-plaintext-attack, >because the users (partial) know their own authentication data! In this case I think this is not a problem because this is data signing process. In PKCS1 when you sign data with private key there is NO random information generated. All message that is encrypted with private key is known. For example if you want to sign some message you calculate its digest (hash, SHA1 for example), next you build ASN.1 DigestInfo structure, and pad this with PCKS1. But this padding only adds in front of DigestInfo known block and you get something like that: 0x0001FFFF.....FF00DigestInfo and this is encrypted with private key. As you see, there is no random information in this case. >My questions are very simple: Is the RSA crypto-system with random >padding (e.g. default PKCS#1 v1.5 or OAEP) "strong enough" to >implement such a solution or is my concept totally insecure and I >should use e.g. an ElGamal encryption system? As I told before, signing with PKCS#1 does not implement random padding but static. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]