1 / 16

Attacks on the RSA Algorithm

Attacks on the RSA Algorithm. CSIS 5857: Encoding and Encryption. Attacks on RSA. Mathematical attacks Situations in which factoring/discrete logarithms easier to compute Short message attacks Generating all possible messages with the public key Timing attacks

harmon
Download Presentation

Attacks on the RSA Algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Attacks on the RSA Algorithm CSIS 5857: Encoding and Encryption

  2. Attacks on RSA • Mathematical attacks • Situations in which factoring/discrete logarithms easier to compute • Short message attacks • Generating all possible messages with the public key • Timing attacks • Guessing private key based ondecryption run time Apply to many encryption algorithms

  3. Mathematical Attacks • Based on finding fast ways to solve underlying mathematics • Factorization • Discrete Logarithms Unsolved at this point • Recommendations: • Large p and q (at least 1024 bits) • Don’t reuse same n too many times • Large E(at least 216+1)

  4. Short Message Attacks • Typical use of public key algorithm: Generating short messages • Symmetric keys (used then to send rest of message) • Social security numbers, etc. • Idea: • Adversary acquires public key E, n • Uses them to encrypt all possible messages that may be sent(plausible if messages are short enough!) and stores in table • Intercepts encrypted message C and searches for match in the table Adversary can recover plaintext without decryption key!

  5. Short Message Attack • Example: Darth knows that Bob will use Alice’s public key to send her a Social Security Number (9 digits) Alice’s KPU Darth finds Alice’s public key KPU

  6. Short Message Attack • Darth uses Alice’s public key KPU to encrypt all possible Social Security Numbers(only a billion) Alice’s KPU

  7. Short Message Attack • Darth intercepts Bob’s SSN encrypted with Alice’s public key • Searches for match in table of encrypted values j290u9kjwn Message matches this encrypted value So this must be the corresponding plaintext value

  8. Short Message Attacks • Solution: Pad message to M bits • M large enough so adversary can’t generate all 2Mpossible messages • Can’t just add extra bits to end – still possible to crack • Optimal Asymmetric Encryption Padding (OAEP) • Additional bits used as “mask” to conceal plaintext • Mask generated randomly • Mask data sent as part of encrypted message for decryption • Based on cryptographic hash (more later)

  9. Optimal Asymmetric Encryption Padding Encryption: • Message padded to m bits • Random bits r mask padded message • Run through hash function G • XOR’d with padded message to give P1 • Masked message used to mask random bits • Masked message run through hash function H • XOR’d with random bits to give P2 • Masked message and random bits (P1 and P2) encrypted and sent • Key: One-way hash functions make it impossible for adversary to recover rfrom P2

  10. Optimal Asymmetric Encryption Padding Decryption: • Ciphertext decrypted to get masked message and random bits (P1 and P2) • Masked message P1 run through hash function H and XOR’d with P2to recover r • r run through hash function G and XOR’d with P1to recover original padded plaintext

  11. Timing Attacks • Fast exponentiation algorithm used for decryptionto compute CD mod n:result = 1for (i = 0 to number of bits in D- 1) { if (ith bit of D = 1) result = (result * C) mod nC = C2 mod n } • Speed of decryption depends on number of 1’s in D • Each 1 requires additional multiplication operation • Each 0 skips that step

  12. Timing Attacks • If adversary knows the following: • Ciphertext C • Can be intercepted • Can compute how long it takes to multiply ciphertext and compute mods • Total time decryption takes • Can be observed They could compute number of 1’s in private D • Given enough known plaintexts, can reliably guess Dcompletely

  13. Timing Attacks • Darth infiltrates organization • Requests secure data from database • Observes ciphertext • Times processor cycles required by decryption • Guesses properties of key P Fast exponentiation C

  14. Timing Attacks Solutions: • “Pad” algorithm so all decryptions take same time for (i = 0 to number of bits in D- 1) { if (ith bit of D = 1) result = (result * C) mod nelse garbageVariable = (result * C) mod nC = C2 mod n } • Remove adversary’s ability to know the C used in the fast exponentiation (blinding) • Compute fast exponentiation on a value other than C • Use that value to recover the plaintext

  15. Blinding Timing Attacks • Algorithm: • Select random r < modulus n • Compute C1= C r Emod n • Compute P1 = C1Dmod n= (C r E)Dmod n= (CDmod n r EDmod n ) mod n = (P  r )mod n • Compute P = (P1 r -1)mod n fast exponentiation on value unknown to adversary Factor out the original r

  16. Timing Attacks • Based on implementation of algorithm, not underlying mathematics • Any cryptosystem that has a component that takes different time for different keys may be vulnerable • Current research: AES • MixColumns stage uses matrix multiplication • More 0’s in state  Faster matrix multiplication • May be able to recover intermediate states based on run time

More Related