applied cryptography - protocols, algorithms, and source code in c

Instead of squaring the plaintext message cube it the

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ’s Trent’s public key and must be public to verify his signatures. Then he computes m = ym’ mod n, and sends m to Trent to sign. Trent returns m’d mod n. Now Mallory calculates (md mod n)x-1 mod n, which equals n’d mod n and is the signature of m’. Actually, Mallory can use several methods to accomplish these same things [423, 458, 486]. The weakness they all exploit is that exponentiation preserves the multiplicative structure of the input. That is: (xm)d mod n = xdmd mod n Scenario 3: Eve wants Alice to sign m3 . She generates two messages, m1 and m2, such that m3 a m1m2 (mod n) If Eve can get Alice to sign m1 and m2, she can calculate m3: m3d = (m1d mod n)(m2d mod n ) Previous Table of Contents Next Products | Contact Us | About Us | Privacy | Ad Info | Home Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Read EarthWeb's privacy statement. To access the contents, click the chapter and section titles. Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth) Go! Keyword Brief Full Advanced Search Search Tips (Publisher: John Wiley & Sons, Inc.) Author(s): Bruce Schneier ISBN: 0471128457 Publication Date: 01/01/96 Search this book: Go! Previous Table of Contents Next ----------- Moral: Never use RSA to sign a random document presented to you by a stranger. Always use a one-way hash function first. The ISO 9796 block format prevents this attack. Common Modulus Attack on RSA A possible RSA implementation gives everyone the same n, but different values for the exponents e and d. Unfortunately, this doesn’t work. The most obvious problem is that if the same message is ever encrypted with two different exponents (both having the same modulus), and those two exponents are relatively prime (which they generally would be), then the plaintext can be re...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online