170 likes | 417 Views
Attacks on the RSA Algorithm. CSIS 5857: Encoding and Encryption. Short Message Attacks. Typical use of public key algorithm: Generating short messages Symmetric keys (used then to send rest of message) Social security numbers, etc. Idea: Adversary acquires public key E , n
E N D
Attacks on the RSA Algorithm CSIS 5857: Encoding and Encryption
Short Message Attacks • Typical use of public key algorithm: Generating short messages • Symmetric keys (used then to send rest of message) • Social security numbers, etc. • Idea: • Adversary acquires public key E, n • Uses them to encrypt all possible messages that may be sent(plausible if messages are short enough!) and stores in table • Intercepts encrypted message C and searches for match in the table Adversary can recover plaintext without decryption key!
Short Message Attack • Example: Darth knows that Bob will use Alice’s public key to send her a Social Security Number (9 digits) Alice’s KPU Darth finds Alice’s public key KPU
Short Message Attack • Darth uses Alice’s public key KPU to encrypt all possible Social Security Numbers(only a billion) Alice’s KPU
Short Message Attack • Darth intercepts Bob’s SSN encrypted with Alice’s public key • Searches for match in table of encrypted values j290u9kjwn Message matches this encrypted value So this must be the corresponding plaintext value
Short Message Attacks • Solution: Pad message to M bits • M large enough so adversary can’t generate all 2Mpossible messages • Can’t just add extra bits to end – still possibly vulnerable • Optimal Asymmetric Encryption Padding (OAEP) • Additional bits used as “mask” to conceal plaintext • Mask generated randomly • Mask data sent as part of encrypted message for decryption • Based on cryptographic hash (more later)
Optimal Asymmetric Encryption Padding Encryption: • Message padded to m bits • Random bits r mask padded message • Run through hash function G • XOR’d with padded message to give P1 • Masked message used to mask random bits • Masked message run through hash function H • XOR’d with random bits to give P2 • Masked message and random bits (P1 and P2) encrypted and sent • Key: One-way hash functions make it impossible for adversary to recover rfrom P2
Optimal Asymmetric Encryption Padding Decryption: • Ciphertext decrypted to get masked message and random bits (P1 and P2) • Masked message P1 run through hash function H and XOR’d with P2to recover r • r run through hash function G and XOR’d with P1to recover original padded plaintext
Timing Attacks • Fast exponentiation algorithm used for decryptionto compute CD mod n:result = 1for (i = 0 to number of bits in D- 1) { if (ith bit of D = 1) result = (result * C) mod nC = C2 mod n } • Speed of decryption depends on number of 1’s in D • Each 1 requires additional multiplication operation • Each 0 skips that step
Timing Attacks • If adversary knows the following: • CiphertextC • Can compute how long it takes to multiply ciphertext and compute mods • That is, how long a 1 or a 0 takes to decrypt • Total time decryption takes • Can be observed They could compute number of 1’s in private D • Given enough known plaintexts, can reliably guess Dcompletely
Timing Attacks • Darth infiltrates organization • Requests secure data from database • Observes ciphertext • Times processor cycles required by decryption • Guesses properties of key P Fast exponentiation C
Timing Attacks Solutions: • “Pad” algorithm so all decryptions take same time for (i = 0 to number of bits in D- 1) { if (ith bit of D = 1) result = (result * C) mod nelse garbageVariable = (result * C) mod nC = C2 mod n } • Remove adversary’s ability to know the C used in the fast exponentiation (blinding) • Compute fast exponentiation on a value other than C • Use that value to recover the plaintext • Used by commercial versions of RSA
Blinding Timing Attacks • Algorithm: • Select random r < modulus n • Compute C1= C r Emod n • Compute P1 = C1Dmod n= (C r E)Dmod n= (CDmod n r EDmod n ) mod n = (P r )mod n • Compute P = (P1 r -1)mod n fast exponentiation on value unknown to adversary Factor out the original r
Timing Attacks • Based on implementation of algorithm, not underlying mathematics • Any cryptosystem that has a component that takes different time for different keys may be vulnerable • Current research: AES • MixColumns stage uses matrix multiplication • More 0’s in state Faster matrix multiplication • May be able to recover intermediate states based on run time
Attacks on RSA • Mathematical attacks • Situations in which factoring/discrete logarithms easier to compute • Short message attacks • Generating all possible messages with the public key • Timing attacks • Guessing private key based ondecryption run time Apply to many encryption algorithms
Mathematical Attacks • Based on finding fast ways to solve underlying mathematics • Factorization • Discrete Logarithms Unsolved at this point • Recommendations: • Large p and q (at least 1024 bits) • Don’t reuse same n too many times • Large E(at least 216+1)