|
|
|
|
|
|
by pxx
722 days ago
|
|
|
this analysis does not seem particularly good and seems to be written for maximum hype value instead of correctness. e.g.: > The first issue is the absolute disregard for any of the standards related to RSA key usage. Encrypting with the private key and decrypting with the public key is usually only done in the context of signing/verifying. but... you are doing a verification at this stage. this is how public-key encryption works. but since the data is so short, the "signature" is just the data itself instead of a (essentially) a hash of it. the stuff about pkcs#1 1.5 likewise is irrelevant. there's no way to get a padding oracle, and the Bleichenbacher '06 signature forgery scheme seems to be an attack on a bad signature verification algorithm and not an issue with the primitive. but we're not using signature verification here. |
|
|
- I agree that the section on pkcs#1 is at this point irrelevant, I left it in just to mention that fact. But I will probably take it out now :)
- Concerning the part of misusing RSA: My understanding is that you usually append the signature at the end, after a copy of the data which is not done here. I believe they are misusing it here because no library for RSA supports this use case, to decrypt using a public key you always have to provide the message and signature. This isn't possible here because the message is encrypted. So I think they are misusing RSA.