Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)

[Bodo Moeller <bmoeller at acm.org>]

On Tue, Nov 28, 2006 at 11:53:25AM +0000, Dr Stephen Henson wrote:
> Pasi.Eronen at nokia.com wrote:

>> The most resource-consuming part of the handshake is the RSA
>> decryption, and this we have to do before we can detect any padding
>> errors. So I'm not sure if continuing the handshake really makes the
>> situation any worse DoS-wise...
>> 
>> (Especially remembering that we don't have any good alternatives;
>> reporting the error leads to revealing your private key.)

> Does it? I thought a successful attack revealed a premaster secret, not
> the actual private key.

True: the attack allows an adversary to *use* you private key, but not
to *obtain* it.

(No-one knows for sure if an oracle that computes e-th roots modulo
some composite integer n, which is what RSA decryption does, can be
used to obtain the inverse of e modulo phi(n) or -- equivalently -- to
factor n.  Thus, there is no known algorithm to use an RSA decryption
oracle, such as the one involved in the Bleichenbacher attack,
to obtain the private RSA key.)

Bodo


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls