undefined | Better HN

0 pointswoodruffw3y ago0 comments

> In what sense? If someone signs a package with, say, a RSA key, how is that behind in some way?

OpenPGP specifies PKCS#1 v1.5 for RSA padding. Attacks on PKCS#1 v1.5 have been well understood for over 20 years[1]; every few years, someone finds a new one.

RSA itself is well-known for having weird number-theoretic problems that implementations have failed to respect, to catastrophic effects. Best practice for algorithm selection is to pick algorithms where users can't compromise the integrity of the scheme through poor public parameter selection; RSA forces the user to pick a public modulus and exponent, leading to all kinds of silly things that actually happen[2].

Edit: Correcting myself: most attacks on v1.5 padding concern encryption, not signatures. The general fragility argument remains, however.

[1]: https://en.wikipedia.org/wiki/PKCS_1#Attacks

[2]: https://news.ycombinator.com/item?id=5993959

0 comments

2 comments · 1 top-level

upofadown3y ago· 1 in thread

Exactly how is PKCS#1 v1.5 vulnerable in PGP usage? You might be confusing PGP usage with encrypted pipe applications like TLS.

>RSA forces the user to pick a public modulus and exponent, leading to all kinds of silly things that actually happen[

What PGP implementation forces the user to pick the public modulus and exponent?

Avamander3y ago

> Exactly how is PKCS#1 v1.5 vulnerable in PGP usage?

Something that is often misused in a way that compromises security really needs to be proven secure rather than the opposite.

j / k navigate · click thread line to collapse