Sunday, September 22, 2013

RSA: BSafe is not safe !

There is, however, one tiny little exception to this rule. What if P and Q aren't entirely random values? What if you chose them yourself specifically so you'd know the mathematical relationship between the two points?

In this case it turns out you can easily compute the next PRG state after recovering a single output point (from 32 bytes of RNG output). This means you can follow the equations through and predict the next output. And the next output after that. And on forever and forever.****

This is a huge deal in the case of SSL/TLS, for example.
In the worst case a modestly bad but by no means worst case, the NSA may be able to intercept SSL/TLS connections made by products implemented with BSafe.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?