1 / 41

Attacks on RSA. Safe modes.

Attacks on RSA. Safe modes. From the previous lecture…. Secret. B. p , q, n:=pq. Textbook RSA (V). Security:. Is encryption secure?. Can we recover the secret key ?. Key recovery as hard as factorizing. Can we recover in any other way ?. Values are long- term. Deterministic.

tybalt
Download Presentation

Attacks on RSA. Safe modes.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacks on RSA. Safe modes.

  2. From the previous lecture… Secret B p, q, n:=pq

  3. Textbook RSA (V) • Security: • Is encryption secure? • Can we recover the secret key ? Key recovery as hard as factorizing • Can we recover in anyotherway ? Values are long-term Deterministic Each maps to unique

  4. Textbook RSA (VI) • Security: • IND-CPA/IND-CCA: can’t say anything about Encryption is deterministic: Can always distinguish m from m’ • Plaintext recovery: can’t find from Not guaranteed if few possible messages Try out all alternatives – find plaintext OK if chosen at random from large set • Not very secure; but we can improve it

  5. Textbook RSA ++ • Improving Textbook RSA: pre-processing RSA encryption Secret pre-processing Security will depend on this step

  6. PKCS and Bleichenbacher • Preprocessing with PKCS1, mode 2 • Pad with random number (make it probabilistic) 00 02 random pad FF message 1024 bits • Bleichenbacher ’98: use the regularity of the ciphertext (they must start with “00|02”) to recover plaintext!

  7. PKCS and Bleichenbacher (II) • Core idea Ciphertext Continue ERROR! Decrypt Does m start with “00|02”? • Attacker starts with ciphertext • Re-randomize it: • Is it PKCS? Repeat until you know rM starts with 00|02 • Move to next part of message ciphertexts

  8. Contents • Pre-processing • How OAEP works • Hash Functions; Random Oracles (brief) • Improvements on OAEP • Attacks on factoring – generic • Pollard’s • Pollard- • Unsafe modes for RSA • Small pk and related ciphertexts • Small sk: Wiener’s attack • Some physical attacks

  9. The OAEP Function • A new pre-processing function: OAEP • OAEP = Optimal Asymmetric Encryption Padding • By Bellare & Rogaway, 1994; in RFC 2437 bits bits bits K = size of n=pq m pad r = parameters (to be set) G,H = hash functions G = bit XOR H X Y

  10. The OAEP Function • In detail: OAEP m pad r G • Hash functions • A box with input of any size, and output of fixed size In this case: input is bits, output is • Collision-resistance: can’t find with • Random oracles: always outputs new string Outputs consistently: consistent

  11. The OAEP Function • In detail: OAEP m pad r G • How it works: r G random bits bits = m pad

  12. The OAEP Function • In detail: OAEP r H • How it works: H random bits bits = r

  13. RSA-OAEP Decryption • are random oracles Hard to invert • How do we decrypt? • Go in reverse: receive Decrypt: m pad r G H X Y

  14. RSA-OAEP Decryption • are random oracles Hard to invert • How do we decrypt? • Go in reverse: receive Decrypt: H = r

  15. RSA-OAEP Decryption • are random oracles Hard to invert • How do we decrypt? • Go in reverse: receive Decrypt: Recover: m pad r G H X Y

  16. RSA-OAEP Decryption • are random oracles Hard to invert • How do we decrypt? • Go in reverse: receive Decrypt: Recover: r G = m pad

  17. RSA-OAEP Decryption • are random oracles Hard to invert • How do we decrypt? • Go in reverse: receive Decrypt: Recover: Retrieve: Check: pad has the right format

  18. The OAEP Function • In detail: OAEP • Functions are random oracles: thatis, theygiverandom output. In practice: use SHA-1 • Randomness chosenfreshlyevery time • How about the padding? m pad r • Original OAEP: ([BR94]) • OAEP+: with W a random oracle ([S01])

  19. Improving OAEP: SAEP bits bits bits m W(m,r) r H X Y • No need for function • Function israndom oracle. Input size: bits. Output size: bits

  20. Contents • Pre-processing • How OAEP works • Hash Functions; Random Oracles (brief) • Improvements on OAEP • Generic attacks on factoring • Small Small or • Pollard- • Unsafe modes for RSA • Small pk and related ciphertexts • Small sk: Wiener’s attack • Some physical attacks

  21. Attacks on RSA • For the remainder of this lecture = We • 1st goal: • Given something of the form , find • Strategies: • Generic: factor . Given, easy to recover • Specific: retrieve plaintext without factoring

  22. Small • Easy case: we are given and • If are prime, then • Given and Calculate: This gives: Also: So: and: Factorization: and

  23. Small • Hard case: we are given only Try to guess Use: Then: Note: are odd. Thus: and are even Algorithm SmallDiff: Input Complexity parameter Write Let . While DO IF is a square (itisequal to for a positive integer) THEN: if and are prime, Output and ELSE:

  24. Small or : Pollard’s • Attack on factoring – bad (p-1) • Vulnerability: with one small prime • Pollard’s-(p-1) factors in steps if smallest factor If is small, then this method is fast • Idea: if is prime, thenis not Since all are odd (impair), iseven Obviously will have 2 as a factor We are hoping has onlysmallfactors and wewilltry to retrievethem all All in the same set

  25. Small or : Pollard’s • Attack on factoring – bad (p-1) • Vulnerability: with one small prime • Supposition: • How large can be for each? Well, for any , so • Start with definite upper bound: As , anydivides. So divides So

  26. Small or : Pollard’s • Attack on factoring – bad (p-1) • Vulnerability: with one small prime As , anydivides. So divides So Pick random Check that • If : then. Hooray! • If and • With high probability • Then • Else, pick a new a

  27. Exercise time! • Write pseudocode for Pollard’s

  28. So far • Small • Given and : calculate Take: Factorization: and • Given : verify values of for integer For each check if isinteger If so, if are prime then: Output Else, next and repeatprocedure

  29. So far • Small Pick random Check that • If : then. Hooray! • If and • With high probability • Then • Else, pick a new a and repeat

  30. Pollard’s • General factorization attack (are we lucky?) • Strategy: find specific small suchthat Most likely then, • Imagine we could calculate Say wehad: • Suppose we find suchthat, then: divides Then with high probability • But, we don’t know . We do this.

  31. Pollard’s • Strategy: we compute: • Find: suchthat • With high probability • Choice: speed vs. storage • Storage: method as above. Need to store all • Speed: Floyd’s cycle finding algorithm: • and • Mod n: Only checking pairs at a time

  32. Floyd’s Cycle-Finding Alg. Source:http://home.online.no/~vlaenen/

  33. Exercise time! • Put the method (with Floyd’s cycle-finding algorithm) in pseudocode/algorithm form!

  34. Contents • Pre-processing • How OAEP works • Hash Functions; Random Oracles (brief) • Improvements on OAEP • Generic attacks on factoring • Small Small or • Pollard- • Unsafe modes for RSA • Small pk and related ciphertexts • Small sk: Wiener’s attack • Some physical attacks

  35. Unsafe Modes for RSA • Small public key • More receivers with same small (different) • Same plaintext is sent to users

  36. Unsafe Modes for RSA • Small public key • One receiver with small (different) • Two related plaintexts: and • If knows the relationship of the messages, she can use polynomial multiplication to find • Recommended • e = • This leads to fast encryption

  37. More Unsafe Modes • Small secret key • Better for decryption: makes it more efficient • Use: least common multiple LCM Math “magic” Divide by dpq

  38. More Unsafe Modes • Small secret key • If issmall, then. • If issmall, then. Tend to 0 • This means that converges towards • Continued fractions and some trial and error gives d

  39. Physical Attacks • Implementation: Square and Multiply • Standard way to do exponentiation • Write in binary []. Set • For DO: Square AND Multiply • If then set Square • Else, set • Example:

  40. Physical Attacks • Implementation: Square and Multiply • Timing attack: multiply takes longer than square • Time the operation and write out the order of ops M, Sq, Sq, M, Sq, Sq, M, Sq, M, Sq, Sq, M • Retrieve key from inverse Square and Multiply • Power attack: multiply burns more than square • Retrieve for smartcards Source: http://www.dbs.com.hk/

  41. Thanks!

More Related