Re: adding noise blob to data before signing
On 10 Aug 2002, Eric Rescorla wrote: It's generally a bad idea to sign RSA data directly. The RSA primitive is actually quite fragile. At the very least you should PKCS-1 pad the data. -Ekr This is true. Cyclopedia Cryptologia has a short article detailing some of the attacks against direct use of RSA. http://www.disappearing-inc.com/R/rsa.html is a good URL if you want to read it. Ray - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: adding noise blob to data before signing
Eugen Leitl [EMAIL PROTECTED] writes: 1) What's the name of the technique of salting/padding an small integer I'm signing with random data? Blinding? Padding? It depends on what you are trying to accomplish. 2) If I'm signing above short (~1 kBit) sequences, can I sign them directly, or am I supposed to hash them first? (i.e. does a presence of an essentially fixed field weaken the signature) It depends on the signature algorithm. With RSA you can sign any message directly if said message is smaller than the public key size (N). DSA, however, requires the use of a hash. Note that, in the grand scheme of things, performing the public key operation is significantly slower than performing the hash, so it really doesn't hurt you computationally to perform the hash. OTOH, your signature strength still depends on the strength of your hash. -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: adding noise blob to data before signing
Eugen Leitl asked: 1) What's the name of the technique of salting/padding an small integer I'm signing with random data? You shouldn't need to salt/pad with random data, fixed data should be OK. 2) If I'm signing above short (~1 kBit) sequences, can I sign them directly, or am I supposed to hash them first? (i.e. does a presence of an essentially fixed field weaken the signature) Derek Atkins replied: It depends on the signature algorithm. With RSA you can sign any message directly if said message is smaller than the public key size (N). DSA, however, requires the use of a hash. Actually, depending on the data being signed, it can be important to hash for RSA. After all, RSA is existentially forgeable: anyone can forge a signature on a *random* value (if C=M^e mod n, then M is a signature on C). They might be able to try some large number of sigs until they got a random value which looked enough like legitimate data to be accepted - especially possible if the 1kbit value being signed holds dense, random-ish binary data. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: adding noise blob to data before signing
Nomen Nescio [EMAIL PROTECTED] writes: Derek Atkins replied: It depends on the signature algorithm. With RSA you can sign any message directly if said message is smaller than the public key size (N). DSA, however, requires the use of a hash. Actually, depending on the data being signed, it can be important to hash for RSA. After all, RSA is existentially forgeable: anyone can forge a signature on a *random* value (if C=M^e mod n, then M is a signature on C). They might be able to try some large number of sigs until they got a random value which looked enough like legitimate data to be accepted - especially possible if the 1kbit value being signed holds dense, random-ish binary data. Let me be clear: I implied (but clearly I should have been explicit) that PKCS#1 padding should be used, not raw RSA. The problem with raw RSA is that you can combine multiple encryptions into new encryptions. Using PKCS padding inside the RSA signature foils the multiplication attack. So, sure, your message is can only be N-(sizeof(pkcs#1)) bits, not N bits. However you still do not need a hash. -derek -- Derek Atkins Computer and Internet Security Consultant [EMAIL PROTECTED] www.ihtfp.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
