120 likes | 423 Views
Attacks on Digital Signature Algorithm: RSA. John Nguyen. RSA as a Digital Signature Algorithm. The need for digital signature: online banking, routable forms… Requirement: something uniquely identify oneself, and people can verify that unique identification.
E N D
Attacks on Digital Signature Algorithm: RSA John Nguyen
RSA as a Digital Signature Algorithm • The need for digital signature: online banking, routable forms… • Requirement: something uniquely identify oneself, and people can verify that unique identification. • RSA is a public key cryptography which offers that need. • Private key to sign the message. • Public key to verify the signature.
RSA • A public key algorithm • Easy to understand and implement • Popular, used by numerous companies such as Motorola and Adobe in its Acrobat product. • De facto standard in much of the world.
RSA Algorithm • Choose 2 large prime numbers p and q • Then compute: n = pq • Choose e such that e and (p-1)(q-1) are relatively prime. • key d can be computed by using extended Euclidean algorithm: ed ≡ 1 mod (p-1)(q-1)
RSA Encrytion • Public key: n and e • Private key: d • Encrypting: c = me mod n • Decrypting: m = cd mod n • Digital signature: • c = md mod n (signing) • m = ce mod n (verification)
Proof • cd = (me)d (mod n) = med = mk(p-1)(q-1) + 1 = mmk(p-1)(q-1) = m *1 = m • mk(p-1)(q-1) = mk(n) = m* 1 (Euler’s generalization of Fermat’s little theorem)
Security of RSA • Factoring n is the most obvious attack. • Difficult • Factoring techonology: best 129-decimal-digital modulus • N must be larger than that to be secure • Guessing value of (p-1)(q-1), but the difficulty is the same as factoring n • Common attacks against RSA’s implementation: attack against the protocol, not the basic algorithm.
Chosen Cipher Attack against RSA • Eve: attacker, Alice: user • Eve got c encrypted by Alice’s public key. Eve wants to read plaintext m from c. • Mathematically, Eve needs d: m = cd, but Eve does not know d. • Eve decided to figure out m without first knowing exactly what d is.
Chosen Ciphertext attack… • Eve chooses a random number r (r < n), then compute: x = re mod n y = xc mod n t = r-1 mod n • Eve gets Alice to sign y with her private key, therefore decrypting y. • Alice sends Eve: u = yd mod n • Eve computes, and get m: tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m
Prevent against this chosen ciphertext attack • Signing and encrypting (& decrypting) are 2 different things. • They can be done separately. • 1 set of keys for signing and verification. • 1 set of keys for decrypting and encrypting. • Sign on a one-way hash of message, not the message. • Signing will not decrypt the message, so Eve can not figure out m
Attack on Encrypting and Signing with RSA • Alice sends a message m to Bob • She encrypts m with Bob public key, then signs with her private key: (meB mod nB)dA mod nA • Bob can claim that Alice sent him m’, not m. • He can find x, such that: m’x = m mod n • If he can publish xeB replace old eB
To prevent this attack… • Assign each user fixed keys • Usually be done by third party: VeriSign… • Moreover, common good practice: sign first, encrypt later.