RE: [dss-comment] DSS as a encryption/decryption oracle.

["Pope, Nick" <Nick.Pope@thales-esecurity.com>]

Tim,

I give below some personal thoughts on your message, this may be updated
following general discussion in the group.

Are you talking here about an attack on use for DSS for encryption /
decryption or for signing?  

If this is for encryption / decryption, then this is a new application which
is not addressed by the existing DSS work but is on the work plan for the
new DSS-X TC.  Thus, we have yet to consider the detailed implications of
this usage of DSS but need to take into account the point you raise when we
do start work in this area.

If this relates to signatures then the signing will only be invoked by
authorised individuals and so will not be subject to external attack.

Nick

> -----Original Message-----
> From: Timothy J. Miller [mailto:tmiller@mitre.org]
> Sent: 03 July 2007 17:15
> To: dss-comment@lists.oasis-open.org
> Subject: [dss-comment] DSS as a encryption/decryption oracle.
> 
> I scanned the list archives and maybe I missed it, but has there been
> any discussion about DSS effectively being an oracle for both chosen
> plaintext and chosen ciphertext attacks?
> 
> Consider:
> 
> Since the document hash is encrypted with the service's private key,
> this hash can be a chosen plaintext.  Since the resulting ciphertext
> is returned to the attacker, DSS acts as an encryption oracle
> enabling both batch and adaptive chosen-plaintext attacks.
> 
> Additionally, this mode of attack can double as a chosen-ciphertext
> attack, where the hash submitted is treated as a ciphertext for the
> purposes of cryptanalysis.  In this mode, the response is treated as
> a plaintext, and DSS acts as a decryption oracle enabling both
> indifferent and adaptive chosen-plaintext attacks.
> 
> Further, since the public and private keys operations are inverses of
> each other, it may be possible for an attacker to choose a plaintext,
> encrypt it with the DSS public key, alter the result to produce
> chosen ciphertexts, and submit them to DSS for decryption.  This is a
> mode of cryptanalysis that is very unusual, and I'm unsure of the
> implications.
> 
> -- Tim
> 

Consider the environment before printing this mail.
"Thales e-Security Limited is incorporated in England and Wales with company
registration number 2518805. Its registered office is located at 2 Dashwood
Lang Road, The Bourne Business Park, Addlestone, Nr. Weybridge, Surrey KT15
2NX.
The information contained in this e-mail is confidential. It may also be
privileged. It is only intended for the stated addressee(s) and access to it
by any other person is unauthorised. If you are not an addressee or the
intended addressee, you must not disclose, copy, circulate or in any other
way use or rely on the information contained in this e-mail. Such
unauthorised use may be unlawful. If you have received this e-mail in error
please delete it (and all copies) from your system, please also inform us
immediately on +44 (0)1844 201800 or email postmaster@thales-esecurity.com.
Commercial matters detailed or referred to in this e-mail are subject to a
written contract signed for and on behalf of Thales e-Security Limited".