[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new IKE draft



Matt Thomas writes:
>>> (Also what happens in the non-Revised mode if the identification payload is
>>> larger than what can be encrypted via the RSA modulus?)

Good question. 
How do existing implementations behave when this situation arises? 
I presume there are routine length checks in place 
to calculate the PKCS#1 padding length and avoid buffer overflows. 
Is the exchange aborted, are some bits of the ID payload ignored (bad),
is the ID payload silently reduced mod N by the crypto engine before
encryption (bad) ?? 

For encryption, PKCS #1 focuses on the common use of RSA to provide a "digital
envelope" bearing a key for a conventional symmetric cipher. 
Secure RSA modulus and symmetric key sizes being what they are, the 
issue of plaintext that exceeds the block size just doesn't arise in that
situation.
I'm not aware of any standard that specifies the use of pure RSA for multi-
block encryption, presumably in some CBC-like block chaining mode.

I think the right way to fix this problem is to prohibit use of the "original"
Authentication with Public Key Encryption method if RSA encryption is used and
the length of the ID payload exceeds the data length limit specified in
Section 8 of PKCS #1. If this condition is discovered after the method
of 5.2 has been proposed (and maybe even accepted), the exchange must
be aborted and a different authentication method negotiated. If only
the responder encountered a length problem, then the initiator might
propose use of Auth. with PK Encryption again. *sigh* I'm not sure whether
there's a good Notify message type for the responder to send in this case.
Maybe Invalid-Exchange-Type or Invalid-Key-Information?

Comments?

Incidentally, there doesn't seem to be a bibliographic reference in the 
draft for PKCS #1:

   [RSA93] RSA Laboratories, "PKCS #1: RSA Encryption Standard", 
   version 1.5, RSA Data Security, Inc. Public-Key Cryptography 
   Standards (PKCS), November 1993, 
   ftp://ftp.rsa.com/pub/pkcs/ascii/pkcs-1.asc

-Lewis  <pseudonym@acm.org>  <http://www.cs.umass.edu/~lmccarth>
"damn good...and very dangerous" --P.M. Netanyahu, of Ehud Tenebaum


References: