Hello,
>I just want to store some authentication data - a username, group and
>date - on a "token", which only offers a passive storage (116 byte
>EEPROM) without any cryptografic functions, to save a secret
>(normally a private key) from outside access. So this authentication
>data must be encrypted to prevent unauthorized modification, because
>every - maybe unauthorized - person can read and write on this
>"token".
Maybe I do not understand this correctly, but if you want to encrypt
some data with RSA 1024 bit key then you will get 128 bytes of output
ciphertext. It is not important what padding scheme you will use
(or even no padding at all) you should get 128 bytes output from
modular exponentation process. So you will not be able to store
this on your token. Or I really miss something :-)  
 
>This "token" should used for a two-factor-autentication
>process with an additional password or pin. So, I want to use one
>private RSA key the centrally sign this data. Decentral, I intend to
>verify the RSA signature with the concerning public key. Is the
>verification process successfully done, than the information stored
>on the token are valid.
Ok, but in this case token can be copied without problem.
In general this works like mini-certificate but so called
certificate authentication requires not only certificate
but corresponding private key too. Verification process must
prove that peer has secret private key and then information
from certificate is checked.
Or maybe token has some unique information (like serial number
stored in not writable memory) which can be inserted in user
authentication data (which is signed) to limit copying.

>The problem is that deterministic encryption methods (like RSA)
>offers the possibility of an {known, choosen}-plaintext-attack,
>because the users (partial) know their own authentication data!
In this case I think this is not a problem because this is data
signing process. In PKCS1 when you sign data with private key
there is NO random information generated. All message that is
encrypted with private key is known. For example if you want to sign
some message you calculate its digest (hash, SHA1 for example),
next you build ASN.1 DigestInfo structure, and pad this with PCKS1.
But this padding only adds in front of DigestInfo known block and you
get something like that:
  0x0001FFFF.....FF00DigestInfo
and this is encrypted with private key.
As you see, there is no random information in this case.

>My questions are very simple: Is the RSA crypto-system with random
>padding (e.g. default PKCS#1 v1.5 or OAEP) "strong enough" to
>implement such a solution or is my concept totally insecure and I
>should use e.g. an ElGamal encryption system?
As I told before, signing with PKCS#1 does not implement random
padding but static.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to