Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:17 ADT
Lewis McCarthy (lmccarth@cs.umass.edu)
Tue, 30 Jun 1998 18:20:19 -0400
Josh Hill writes:
> How is this adaptive attack performed. (what relationship gives a
> good chance of the new r_i also being a "good" guess?)
>
> Also, it mentions that you can infer bits from 'm' using these
> "good" guesses. How is this done?
I'm under the impression that the security vendors involved want to
give PKCS#1 users some time to react before they post full attack
details on (e.g.) the web. At the moment they're releasing a
description that gives a good general idea of the form of the
attack, i.e. that it's an adaptive chosen ciphertext attack
requiring about 2^20 chosen ciphertexts. People with deployed
systems that use PKCS#1 can get a sense of the extent to which they
may be vulnerable to the new attack. But they're not revealing
(yet) how to carry out an actual attack.
<http://www.rsa.com/rsalabs/pkcs1>
IMHO this strikes a good balance between pretending there's no
problem ("hear no evil, speak no evil") and starting a race between
the crackers and the system defenders. This way the defenders get a
head start.
In the meantime, figuring out exactly how Bleichenbacher's attack
works seems to be an exercise left to the reader. :-)
-Lewis
http://www.cs.umass.edu/~lmccarth
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:17 ADT