On Sun, Sep 10, 2006 at 08:30:53AM +1000, James A. Donald wrote:
> --
> Ben Laurie wrote:
> > Subject:
> > [dnsop] BIND and OpenSSL's RSA signature forging issue
> > From:
> > Ben Laurie <[EMAIL PROTECTED]>
> > Date:
> > Fri, 08 Sep 2006 11:40:44 +0100
> > To:
> > DNSEXT WG , "(DNSSEC deploymen
| > | It is known, that given such an oracle, the attacker can ask for
| > | "decryption" of all primes less than B, and then he will be able to
| > | sign PKCS-1 encoded messages if the representative number is B-smooth,
| > | but is there any way to actually recover d itself?
|
| > RSA is multi
--
Adam Back wrote:
> Hi Ben, Travis
>
> IGE if this description summarized by Travis is
> correct, appears to be a re-invention of Anton Stiglic
> and my proposed FREE-MAC mode. However the FREE-MAC
> mode (below described as IGE) was broken back in Mar
> 2000 or maybe earlier by Gligor, Done
James A. Donald wrote:
> --
> Ben Laurie wrote:
>> Subject:
>> [dnsop] BIND and OpenSSL's RSA signature forging issue
>> From:
>> Ben Laurie <[EMAIL PROTECTED]>
>> Date:
>> Fri, 08 Sep 2006 11:40:44 +0100
>> To:
>> DNSEXT WG , "(DNSSEC deployment)"
>> <[EMAIL PROTECTED]>, dnsop@lists.uoregon.ed
Adam Back wrote:
> On Sat, Sep 09, 2006 at 09:39:04PM +0100, Ben Laurie wrote:
>>> There is some more detail here:
>>>
>>> http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st
>> Interesting. In fact, Gligor et al appear to have proposed IGE rather
>
> I don't follow. For RSA, the only difference between encryption and
> decryption, and public and private key, and hence between chosen
> plaintext and chosen ciphertext, is the arbitrary naming of one of
> a pair of mutually-inverse values as the "private" key and the other
> as the "public" key
--
James A. Donald:
> > One way of doing this would be for the MTA to insist
> > on a valid signature when talking to certain well
> > known MTAs, and then my MUA could whitelist mail
> > sent from those well known MTAs
Paul Hoffman wrote:
> Yes, if you are willing to throw out messages whose
--
Ben Laurie wrote:
> Subject:
> [dnsop] BIND and OpenSSL's RSA signature forging issue
> From:
> Ben Laurie <[EMAIL PROTECTED]>
> Date:
> Fri, 08 Sep 2006 11:40:44 +0100
> To:
> DNSEXT WG , "(DNSSEC deployment)"
> <[EMAIL PROTECTED]>, dnsop@lists.uoregon.edu
>
> To:
> DNSEXT WG , "(DNSSEC de
Leichter, Jerry wrote:
| It is known, that given such an oracle, the attacker can ask for
| "decryption" of all primes less than B, and then he will be able to
| sign PKCS-1 encoded messages if the representative number is B-smooth,
| but is there any way to actually recover d itself?
RSA is
On Sat, Sep 09, 2006 at 09:39:04PM +0100, Ben Laurie wrote:
> > There is some more detail here:
> >
> > http://groups.google.ca/group/sci.crypt/browse_thread/thread/e1b9339bf9fb5060/62ced37bb9713a39?lnk=st
>
> Interesting. In fact, Gligor et al appear to have proposed IGE rather
> later than this
Adam Back wrote:
> Hi Ben, Travis
>
> IGE if this description summarized by Travis is correct, appears to be
> a re-invention of Anton Stiglic and my proposed FREE-MAC mode.
> However the FREE-MAC mode (below described as IGE) was broken back in
> Mar 2000 or maybe earlier by Gligor, Donescu and I
Lance James wrote:
Agreed, and since my research is focused on online banking I can see
yours and my point, either way, SecurID should not be the only concept
for dependence.
as i've mentioned serveral times, in the mid-90s, the x9a10 financial
standards working group was given the task of pre
12 matches
Mail list logo