[2755] in cryptography@c2.net mail archive
Re: Secure Office
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed May 27 08:17:44 1998
Date: Tue, 26 May 1998 23:24:40 -0700
To: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>, cryptography@c2.net
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <35692670.37A68643@stud.uni-muenchen.de>
At 10:06 AM 5/25/98 +0100, Mok-Kong Shen wrote:
>Derek Atkins wrote:
>> As for factoring attacks, well, you might as well brute-force the IDEA
>> keys in use too -- it's about as difficult!
If there are a small number of reasonable messages, you _can_
brute-force RSA - just try encrypting each of them,
and see which matches. This doesn't work when the RSA is used
to encrypt a random session key with enough entropy,
or when messages are padded with random padding,
but there are times the attack can work,
such as encrypting a quantity of money to deposit,
which only has a billion or so likely values.
>> I don't see this as a
>> valid excuse for not publishing your public key. The only excuse I
>> _can_ see is the same reason to have an unpublished phone number --
>> you don't want random unknowns to send you random encrypted messages.
>> Yeah traffic analysis.
>
>If a public key serves for messages from only a limited circle of
>correspondents then there is no reason why it should be widely known.
>In general there is the principle of limiting knowledge in any
>field to those who have a 'need to know' in order to enhance security.
>Anything, however minute, that adds to the workload of the analyst
>can be of value.
There are protocols which build public keys for short-term use;
there's no reason the public-key-of-the-hour needs to be distributed
beyond the senders and recipients of a mail message it's protecting,
though the public key or protocol parts may be signed with a
long-duration public key.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
