### RE: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

Kevin W. Wall wrote: isn't the pre-shared key version of W3C's XML Encrypt also going to be vulnerable to a padding oracle attack. Any implementation that returns distinguishable error conditions for invalid padding is vulnerable, XML encryption no more or less so if used in such a manner. But XML encryption in particular seems much less likely to be used in this manner than other encryption code. The primary use case you cite for PSK, an asynchronous message bus, is significantly less likely to return oracular information to an attacker than a synchronous service. And due to the rather unfavorable performance of XML encryption, in practice it is rarely used for synchronous messages. Confidentiality for web service calls is typically provided for at the transport layer rather than the message layer. SAML tokens used in redirect-based sign-on protocols are the only common use of XML encryption I'm aware of where the recipient might provide a padding oracle, but these messages are always signed as well. Brad Hill - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: 2048 bits, damn the electrons! [...@openssl.org: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits]

On 01-10-2010 02:41, Victor Duchovni wrote: Should we be confident that 4-prime RSA is stronger at 2048 bits than 2-prime is at 1024? At the very least, it is not stronger against ECM (yes ECM is not effective at this factor size) and while GNFS is not known to benefit from small factors, is this enough evidence that 4-prime 2048-bit keys are effective? It is slightly stronger than RSA-1024 against ECM, since ECM is then performed modulo a 2048 bit value instead of a 1024 bit one. This slows down arithmetic by a factor between 3 and 4 (Karatsuba vs Schoolbook multiplication). Further, there are now 3 factors to find by ECM instead of just 1. Going by asymptotic complexities, factoring 4-prime RSA-2048 by NFS should cost around 2^116 operations. Using ECM to find a 512-bit prime costs around 2^93 elliptic curve group additions (add arithmetic cost here). Factoring RSA-1024 by NFS costs around 2^80 operations. Thus, I believe that 4-prime RSA-2048 is slightly easier than 2-prime RSA-2048, but still significantly harder than RSA-1024. Best regards, Samuel Neves - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com