1 / 28

Daniel Bleichenbacher

Chosen-Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 ( Public-Key Cryptography Standards). Daniel Bleichenbacher. Elizabeth Loza-Garay Christopher Thoma Orosco Cynthia A Guozden Yonghua Li. Overview. Introduction PKCS #1 description

Download Presentation

Daniel Bleichenbacher

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chosen-Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1(Public-Key Cryptography Standards) Daniel Bleichenbacher Elizabeth Loza-Garay Christopher Thoma Orosco Cynthia A Guozden Yonghua Li

  2. Overview • Introduction • PKCS #1 description • Description of the algorithm • Prevention techniques • Experimental results • Conclusion

  3. Objetive • Introduces a new adaptive Chosen Ciphertext Attack against protocols based on RSA

  4. RSA/PKCS #1 encryption Bob Alice PK:(n=pq,e) SK:(p,q,d: ed=1 mod j(n)) message: m padding: m M C e d decrypt: M’ =C (mod n) C=M (mod n) remove padding: M’ m’ ??

  5. Situation analyzed in this talk Bob Alice PK:(n=pq,e) SK:(p,q,d: ed=1 mod j(n)) message: m padding: m M C d decrypt: M’= C (mod n) C=Me (mod n) R remove padding: M’ R=1 if padding correct R=0 if padding incorrect m’ Eve

  6. Chosen-ciphertext attack Alice Bob PK:(n=pq,e) SK:(p,q,d: ed=1 mod j(n)) C Ask d e Eve C’=CS (mod n) M=Cdmod n • R= 0/1 (depending • on correctness of • padding of C’) S=rnd int M’=C’d M= M’S-1 mod n

  7. PKCS #1 (v.1.5) padding for encryption RSA modulus: n=pq of length k bytes; i.e. 256 k-1< n < 256k most significant byte least significant byte 00 02 padding string 00 message Data block at least 8 bytes kbytes Length (n)

  8. PKCS # 1 (Cont) 00 02 padding string 00 message Data block at least 8 bytes 00||02||PS||00||D EB1=00 EB2=02 EB3 through EB10 are nonzero At least one of the bytes EB11 through EBk is 00

  9. Observations PKCS #1 (v.1.5) padding for encryption is correct if • 1st byte is 00 • 2nd byte is 02 • next 8 bytes different from 00 • at least one more 00 byte • less significant bit on RSA encryption is as secure as the whole message  single bits per ciphertext may be sufficient

  10. Chosen-Ciphertext Attacks Adaptive:chosen-ciphertexts  previous outcomes Theoretical weakness  Practical (easy to get information from the oracle reply) Attack Server Kind of error

  11. How the attack works: Overview Bob d Eve M=C ?? e C =CS (mod n) i i R If a message C is PKCS conforming then i 2*256k-2-1 < MS < 3*256k-2 3 phases: Blinding, slow phase and fast phase

  12. Blinding • Yields a ciphertext c0 that corresponds to and unknown message m0 Given an integer c, choose different random integers si, then check, by sending them to the Oracle, whether c(si)^e mod n is PKCS conforming. For the first successful value si, set c0  c(si)^e mod n M0  {[2B, 3B-1]} // 2*256k-2-1 < M0 = MS < 3*256k-2 i  1

  13. Slow phase • The attacker tries to find small values of si for which the ciphertext c0(si)^e mod n is PKCS conforming. For each successful value for si, the attacker computes, using previous knowledge about m0, a set of intervals that must contain m0.

  14. Slow Phase If (i=1) s1> n/3B | c0(si)^e mod n == PKCS conforming else if ( i> 1 && Mi-1 >= 2) // Mi > one interval {search( si> si -1 | c0(si)^e mod n == PKCS conforming)} else if ( Mi-1 == {[a,b]}) // exactly one interval { while(!(c0(si)^e mod n == PKCS conforming)) {choose(ri, si) | ri>= 2((b(si-1) - 2B)/n) && (2B + (ri)n)/b <= si< (3B + (ri)n)/a } }

  15. Fast phase • First two bytes of M0Si are correct with prob. » 1/2. • A message is PKCS conforming with prob. > 0.09. • Each PKCS conforming message roughly cuts the remaining interval in half.

  16. Fast Phase After si has been found, the set Mi is computed as: Mi  a £ Mi £ b // contained in a sufficiently small interval /* search si | si approx. 2si -1 and the two sets overlap */ For all [a,b] contained in Mi -1 and (a(si) - 3B + 1/n) <= r<=(b(si) - 2B/n) If (Mi == {[a,a]}) { m  a(si) -1 mod n; return m; // m is the solution to m = c^d mod n } i++; goTo slowPhase();

  17. Countermeasures • Chance key pairs frequently • Use different key pairs for different servers • Check format of the message after decryption

  18. Countermeasures (cont.) • Identical error message and same amount of time • Have a data block for 1024 bits key

  19. Countermeasures (cont.) • Add structure to data value D (e.g. hash function on D) • PKCS#1 v2 will support Optimal Asymmetric Encryption Padding (OAEP)

  20. Countermeasures (cont.) Data Seed Padding operation (introduces Redundancy) Padded Data XOR Masking Function Masked Data Masking Function XOR Masked Data Masked Seed

  21. Access to an Oracle • Plain Encryption • Detailed Error Messages • Timing Attack

  22. Signing and Encrypting Some protocols (e.g. SHTTP, S/MIME) sign and encrypt messages. Bob: SKB; PKB Alice: SKA; PKA m sign encrypt C decrypt m’ sig(m’) verify sig.

  23. Timing attacks Decryption is sometimes done as follows: 1. Decrypt the ciphertext C 2. If the padding is incorrect return an error. 3. Verify the signature 4. If the signature is incorrect return an error. • Signature is verified only when padding of C is OK. • An attacker might get the information about the padding of C by measuring response times. • The message is authenticated after step 4, but step 2 might leak information. • Such protocols should be used carefully in client/server applications.

  24. SSL Block Format 00 02 padding string 00 03 00 premastersecret 46 bytes

  25. SSL Version 3.0 Client Server <Client.hello> Random, Ciphersuites <Server.hello> Random, Ciphersuites, PK, Cert chose PreMaster Secret (PMS) <Client Key Exchange> {PMS}PK decrypt {PMS}PK error alert if padding is incorrect <Client.finished> compute master secret (MS) hash(MS, ...) compute (MS) verify hash(MS, ...) <Server.finished>

  26. SSL Version 3.0 (correction) Client Server <Client.hello> Random, Ciphersuites <Server.hello> Random, Ciphersuites, PK, Cert chose PreMaster Secret (PMS) <Client Key Exchange> {PMS}PK decrypt {PMS}PK <Client.finished> compute master secret (MS) hash(MS, ...) compute (MS) verify hash(MS, ...) error alert if padding or hash is incorrect <Server.finished>

  27. Conclusions • Consider chosen-ciphertext attacks. • Details (e.g. error messages) do matter. • The phase between decryption and integrity check of a message is critical. No information should leak in that phase. • An integrity check should be close the decryption step. (e.g. PKCS #1 v.2.0, SSL v.3.0 patch, Cramer-Shoup cryptosyst

  28. Thank you ?

More Related