I'm referring to the Bleichenbacher attack on RSA key transport, aka the
"Million Message Attack." I don't believe it's known that this cannot be
extended to ElGamal. I prefer not to take chances.
For those of you who have been sitting on the sidelines watching the messages
whooshing past overhead, it looks like we were talking about two different
"Bleichenbacher attacks" in the last few messages. The one I was thinking
about was from 1996, applies only to Elgamal signatures (not encryption), and
even then only works if a badly chosen key is used. This attack doesn't apply
to Elgamal key wrapping.
The one Eric was thinking of was from 1998. In order to work for the Elgamal
key wrapping I've proposed for CMS, this attack requires that an attacker send
you around a million pieces of CMS encrypted email with attached receipt
requests, that you respond with a million receipts indicating to the attacker
the exact details of why the decrypt failed, that you reuse the same
per-message key for each of those million messages, and that you (rather than
the attacker) know this per-message key.
Now maybe I'm being a bit optimistic here, but I do think that claiming this
is a weakness is a pretty silly. First of all you need to assume that an
attacker can somehow send you a million pieces of email without you noticing
and without it getting stopped by spam blockers. Your own software then has
to try to decrypt each of the one million pieces of email, find that it can't,
and send out a receipt to the sender containing an indication of exactly how
the decryption failed (this isn't possible even if you wanted to do it,
although who knows what the Receipt Notification WG have been working on
recently). Finally, the whole attack only works if you reuse cryptovariables
- it would work nicely if you use something like the ES-DH cached values which
Eric mentioned in a previous message, but not against Elgamal key wrapping.
This is why the CERT advisory on this problem specifically points out "This
vulnerability does not affect S/MIME or SET".
As a security threat, I'd say this rates somewhere down with "Router hit by
meteorite", "Computer trampled by stampeding water buffalo", "Hard drive
kidnapped by space aliens", and similar FUD.
#include <previous stuff about DH as Elgamal being better than DH as ES-DH>
Peter.