On Tue, Jun 16, 2015 at 11:13:58AM +0100, Mark Wooding wrote: > The remaining possibility is that the adversary has managed to come up > with a new public key (and matching private key) with the same > fingerprint as the target key, which was generated by an honest party. > But that's finding a second preimage, and it's /way/ harder than finding > collisions. Yes, it is finding a second preimage in the general case. However, it's possible to exploit collisions to find a very similar key to the legitimate user's—one which may be trivially weak, say with a 20-bit prime as a factor—but which nevertheless works with RSA. e is almost always a trivially small value, so any prime where that e works is sufficient. The goal is to impersonate. Who cares if it's with an insecure key? Since a collision costs approximately $0.65 to generate, one could try the attack repeatedly until a suitable n is found. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature