* Marek Marcola <[EMAIL PROTECTED]> wrote:
>
> Maybe I do not understand this correctly, but if you want to 
> encrypt some data with RSA 1024 bit key then you will get 128 
> bytes of output ciphertext. It is not important what padding 
> scheme you will use (or even no padding at all) you should 
> get 128 bytes output from modular exponentation process. So 
> you will not be able to store this on your token. Or I 
> really miss something :-)

Okay, I have to use a RSA 928 bit key, then I will get 116 bytes of
output ciphertext.

> Ok, but in this case token can be copied without problem.

Yes, I know. That's a big problem, but I _must_ use this "token"!

> Or maybe token has some unique information (like serial number
> stored in not writable memory) which can be inserted in user
> authentication data (which is signed) to limit copying.

Yes, this token has a not-writeable serial number, which are stored
in  ROM. And yes - because of the copying-problem - I centrally want
to sign every user authentication data (stored in 116 byte writeable
EEPROM) with one RSA (private) key.

Decentrally (in form of an Linux-PAM module), I want store the
public key, which can verify this signed user authentication data.
But moreover, I not want to sign a cryptographic hash value of this
information, I want to encode (sign) the complete plaintext
information:

[CUT=user001 authentication data on token]
my_system_user_name
group_of_my_system_user_name
2010-12-31
[CUT]

[CUT=signed authentication data of user001 (116 byte) uses PKCS#1]
0x0000 4fb4 f1b3 d6b8 55ab 0a1d dd75 07e8 8039 O.....U....u...9
0x0010 07b6 6d77 b54d 370c eee9 ab7c 0fdf 760c ..mw.M7....|..v.
0x0020 5425 00c8 80ba 74ff 4168 2aa1 d47f 0c4a T%....t.Ah*....J
0x0030 085c 4d00 4baf 8e67 9cc7 a345 276c b790 .\M.K..g...E'l..
0x0040 d829 1dbf 26ba ea23 57b2 40a6 c265 33b8 .)..&[EMAIL PROTECTED]
0x0050 5add 948f 4cca 3d20 f7c8 490b 6de2 923b Z...L.= ..I.m..;
0x0060 3afc f44b 3b0b 8bb6 cfcf b3e1 3af3 d03e :..K;.......:..>
0x0070 61e0 8e22                               a.."
[/CUT]

Is that another problem, not to sign the hash value of this
information?

> In this case I think this is not a problem because this is data
> signing process. In PKCS1 when you sign data with private key
> there is NO random information generated. All message that is
> encrypted with private key is known. For example if you want to
sign
> some message you calculate its digest (hash, SHA1 for example),
> next you build ASN.1 DigestInfo structure, and pad this with
PCKS1.
> But this padding only adds in front of DigestInfo known block and

> you get something like that:
>   0x0001FFFF.....FF00DigestInfo
> and this is encrypted with private key.
> As you see, there is no random information in this case.

That means, that padding didn't solve the problem of
known-plaintext-, chosen-plaintext-, chosen-cyphertext- or
adaptive-chosen-plaintext-attacks? What about OAEP padding?

In my point of view, if I use padding (e.g. PKCS#1 v1.5) every
chiffertext of the _same_ plaintext looks _different_?!?!

Regards,

Philippe



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to