RE: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

2010-10-01 Thread Brad Hill
Kevin W. Wall wrote:
 isn't the pre-shared key version of W3C's XML Encrypt also going to be 
 to a padding oracle attack.

Any implementation that returns distinguishable error conditions for invalid 
padding is vulnerable, XML encryption no more or less so if used in such a 
manner.  But XML encryption in particular seems much less likely to be used 
in this manner than other encryption code.

The primary use case you cite for PSK, an asynchronous message bus, is 
significantly less likely to return oracular information to an attacker than a
synchronous service.  And due to the rather unfavorable performance of
XML encryption, in practice it is rarely used for synchronous messages.  
Confidentiality for web service calls is typically provided for at the transport
layer rather than the message layer.  SAML tokens used in redirect-based
sign-on protocols are the only common use of XML encryption I'm aware 
of where the recipient might provide a padding oracle, but these messages
are always signed as well.

Brad Hill

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: 2048 bits, damn the electrons! [ [ #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]

2010-10-01 Thread Samuel Neves
 On 01-10-2010 02:41, Victor Duchovni wrote:
 Should we be confident that 4-prime RSA is stronger at 2048 bits than
 2-prime is at 1024? At the very least, it is not stronger against ECM
 (yes ECM is not effective at this factor size) and while GNFS is not
 known to benefit from small factors, is this enough evidence that
 4-prime 2048-bit keys are effective?

It is slightly stronger than RSA-1024 against ECM, since ECM is then
performed modulo a 2048 bit value instead of a 1024 bit one. This slows
down arithmetic by a factor between 3 and 4 (Karatsuba vs Schoolbook
multiplication). Further, there are now 3 factors to find by ECM instead
of just 1.

Going by asymptotic complexities, factoring 4-prime RSA-2048 by NFS
should cost around 2^116 operations. Using ECM to find a 512-bit prime
costs around 2^93 elliptic curve group additions (add arithmetic cost
here). Factoring RSA-1024 by NFS costs around 2^80 operations.

Thus, I believe that 4-prime RSA-2048 is slightly easier than 2-prime
RSA-2048, but still significantly harder than RSA-1024.

Best regards,
Samuel Neves

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to