[cryptography] Why using asymmetric crypto like symmetric crypto isn't secure

Joss Wright joss-cryptography at pseudonymity.net
Sat Nov 3 08:29:08 EDT 2012


On Sat, Nov 03, 2012 at 12:50:47PM +0100, Ralph Holz wrote:
> Hi,
> 
> > In the past there have been a few proposals to use asymmetric cryptosystems,
> > typically RSA, like symmetric ones by keeping the public key secret, the idea
> > behind this being that if the public key isn't known then there isn't anything
> > for an attacker to factor or otherwise attack.  Turns out that doing this
> > isn't secure:
> > 
> >   http://eprint.iacr.org/2012/588
> 
> A question: The attack seems to aim at getting n = p * q, and then
> factor it. I.e. what they really show is that it is possible to derive
> the public key from two plain/ciphertext pairs; alternatively a multiple
> of n. In essence, there is no point in keeping the public key secret as
> it can be guessed.
> 
> However, the factoring would still remain as a huge task for the
> attacker, unless RSA is used at a meagre bit length, as in their example.
> 
> Correct?

This paper was actually quite timely for us. One of our group was
proposing a key management protocol for federated wireless sensor
networks that relied on both halves of an ECC keypair being kept secret.

In this particular protocol, the main advantage was that each sensor
node would maintain a unique public key for an authentication server,
which was then used to negotiate session keys. The combination allowed a
minimal number of asymmetric operations while preserving perfect forward
secrecy.

My initial reaction was that using asymmetric crypto in a relatively
unproven way was likely to cause more problems, or at least risks, than
it was worth, and I proposed a more 'traditional' alternative. This
turned into a relatively long argument.

I stumbled across this paper the next day on the cryptology ePrint
archive, which finally let me convince my colleague to go with the more
traditional approach.

The point here is that the secrecy of the public key was used for
properties beyond an extra layer of obscurity against factoring.
Learning the public key as described in the paper (admittedly for RSA
not ECC) would have completely broken the protocol.

Joss
-- 
Joss Wright | @JossWright
http://www.pseudonymity.net



More information about the cryptography mailing list