Re: a question RE: PKCS1 known cyphertext attack

bram (bram@gawth.com)
Tue, 30 Jun 1998 15:34:58 -0700 (PDT)

• Next message: Lewis McCarthy: "Re: a question RE: PKCS1 known cyphertext attack"
• Previous message: Bruce Schneier: "Re: Cryptoanalysis"
• In reply to: Rich Salz: "Re: Cryptoanalysis"
• Next in thread: Lewis McCarthy: "Re: a question RE: PKCS1 known cyphertext attack"

On Tue, 30 Jun 1998, Joshua Hill wrote:

> How is this adaptive attack performed. (what relationship gives a
> good chance of the new r_i also being a "good" guess?)

It unfortunately takes some poking to find the actual technical paper.
It's at:

http://www.rsa.com/rsalabs/pkcs1/bulletin7.html

Information can be inferred by throwing random things at the decrypter and
noting which ones don't spew out error messages. Very clever. Fortunately
it can be stopped just by checking for all possible error conditions
(which should have been done to begin with anyway) and giving the same
error message regardless of what the error is (and taking the same amount
of time for all of them.)

A very clever attack.

-Bram

• Next message: Lewis McCarthy: "Re: a question RE: PKCS1 known cyphertext attack"
• Previous message: Bruce Schneier: "Re: Cryptoanalysis"
• In reply to: Rich Salz: "Re: Cryptoanalysis"
• Next in thread: Lewis McCarthy: "Re: a question RE: PKCS1 known cyphertext attack"