Anonymous (nobody@replay.com)
Fri, 5 Feb 1999 02:00:39 +0100
That's an interesting idea, to use an RSA key whose modulus is not known
to the attacker. It would not be necessary for both sides to know the
secret part; they could simply be using an RSA key where one party gave
the public part to the other in a private meeting. People do this kind of
thing all the time, exchanging floppies with their public keys on them.
The Wassenaar arrangement, which is supposed to eventually regulate
crypto exports from most Western countries, has prohibitions worded
something like this:
: 5. A. 2. a. 1. Designed or modified to use "cryptography" employing
: digital techniques performing any cryptographic function other than
: authentication or digital signature having any of the following:
: Technical Notes
: 1. Authentication and digital signature functions include their
: associated key management function.
: 2. Authentication includes all aspects of access control where there
: is no encryption of files or text except as directly related to the
: protection of passwords, Personal Identification Numbers (PINs) or
: similar data to prevent unauthorised access.
: 3. "Cryptography" does not include "fixed" data compression or coding
: techniques.
:
: Note 5.A.2.a.1. includes equipment designed or modified to use
: "cryptography" employing analogue principles when implemented with
: digital techniques.
:
: 5. A. 2. a. 1. a. A "symmetric algorithm" employing a key length in
: excess of 56-bits; or
: b. An "asymmetric algorithm" where the security of the algorithm is
: based on any of the following:
: 1. Factorisation of integers in excess of 512-bits (e.g., RSA);
: 2. Computation of discrete logarithms in a multiplicative group of a
: finite field of size greater than 512-bits (e.g., Diffie-Hellman
: over Z/pZ); or
: 3. Discrete logarithms in a group other than mentioned in
: 5.A.2.a.1.b.2. in excess of 112-bits (e.g., Diffie-Hellman over an
: elliptic curve);
Suppose you had a pure-RSA encryption system (no complicating factors
like fancy packaging transforms), or pure ElGamal, or Blum-Blum-Shub as
a stream cipher (based on factoring), with keys no more than 512 bits.
For key management you do something like PGP, a key ring each person
owns. That sounds natural enough. By the above rules, such a system
would seem to be exportable.
But if the RSA public key is exchanged manually, such as at a private
meeting (which should be legal), then the task of decrypting the RSA
ciphertext seems to be impossible. Even accumulating many messages
would only give a hint as to the upper few bits of the RSA modulus.
Without knowing the rest, factorization should not be possible.
It would be interesting to see whether a pure public-key encryption
system which works in this rather simple manner would be exportable.
The NSA might require that the public modulus be incorporated somehow
into each outgoing message.
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:26