[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rsa public keys

On Mon, 4 Aug 1997, Carl Ellison wrote:

> If all you care about, in your definition of "principal", is
> "the person who knows the secret", then just the modulus is enough to
> identify that person. 

I don't think that a modulus alone can securely speak for its owner.
Eve could associate e=1, e=0, e=2, e=-1 or some other cooked exponent with
a modulus. 

> If you want to identify a key as rsa-pkcs1 rather than rsa-pkcs1-md5,
> why not just "rsa" and let the pkcs1 (input formatting) be left independent
> of the key?

I can't see any reason for doing that. PKCS#1 doesn't allow Chaum's blind
signatures, but a principal key (which is a "regular" signature key)
should not be used for blind signatures anyway. 

The level of security would decrease as we could not be sure what
input formatting was used. It really doesn't matter if we can't be sure
what hash function was used, because the chance of sha1 <-> md5
collisions ( i.e. having x and y so that  md5(x) = sha1(y) ) is minimal.

- Markku-Juhani Saarinen <mjos@ssh.fi>