Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption
Attacks on the RSA Algorithm
Feb 23, 2016
Attacks on the RSA Algorithm. CSIS 5857: Encoding and Encryption. Short Message Attacks. Typical use of public key algorithm: Generating short messages Symmetric keys (used then to send rest of message) Social security numbers, etc. Idea: Adversary acquires public key E , n - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Public Key Encryption and the RSA Public Key Algorithm
CSCI 5857: Encoding and Encryption
2
Outline• Short message attacks
– Generating all possible messages with the public key
• Timing attacks– Guessing private key based on
decryption run time
Apply to many encryption algorithms
3
Mathematical Attacks• Based on finding fast ways to solve underlying
mathematics– Factorization– Discrete Logarithms
Unsolved at this point
• Recommendations:– Large p and q (at least 1024 bits)– Don’t reuse same n too many times– Large E (at least 216+1)
4
Short Message Attacks• Typical use of public key algorithm:
Generating short messages– Symmetric keys (used then to send rest of message)– Social security numbers, etc.
• Idea:– Adversary acquires public key E, n– Uses them to encrypt all possible messages that may be sent
(plausible if messages are short enough!) and stores in table– Intercepts encrypted message C and searches for match in the
table
Adversary can recover plaintext without decryption key!
5
Short Message Attack• Example:
Darth knows that Bob will use Alice’s public key to send her a Social Security Number (9 digits)
Alice’s KPU
Darth finds Alice’s public key KPU
6
Short Message Attack
• Darth uses Alice’s public key KPU to encrypt all possible Social Security Numbers (only a billion)
Alice’s KPU000-00-0000…298-76-8466298-76-8467298-76-8468…999-99-9999
jk34jk234n…98nnsap43j290u9kjwnlkmqwe844…Jbn29q004s
7
Short Message Attack• Darth intercepts Bob’s SSN encrypted with Alice’s public key• Searches for match in table of encrypted values
000-00-0000
…
298-76-8466
298-76-8467
298-76-8468
…
999-99-9999
jk34jk234n
…
98nnsap43
j290u9kjwn
lkmqwe844
…
Jbn29q004s
j290u9kjwn
Message matches thisencrypted value So this must be the
corresponding plaintext value
8
Short Message Attacks• Solution: Pad message to M bits
– M large enough so adversary can’t generate all 2M possible messages
– Can’t just add extra bits to end – still possibly vulnerable
• Optimal Asymmetric Encryption Padding (OAEP)– Additional bits used as “mask” to conceal plaintext
• Mask generated randomly• Mask data sent as part of encrypted message for decryption
– Based on cryptographic hash (more later)
9
Optimal Asymmetric Encryption Padding
Encryption:• Message padded to m bits• Random bits r mask padded message
– Run through hash function G– XOR’d with padded message to give P1
• Masked message mask random bits– Masked message run through hash function H– XOR’d with random bits to give P2
• Masked message and random bits (P1 and P2) encrypted and sent
• Key: One-way hash functions make it impossible to recover r from P2
10
Optimal Asymmetric Encryption Padding
Decryption:• Ciphertext decrypted to get
masked message and random bits (P1 and P2)
• Masked message P1 run through hash function H and XOR’d with P2 to recover r
• r run through hash function G and XOR’d with P1 to recover original padded plaintext
Timing Attacks
• Encryption/decryption times may not be constant for all algorithms
• Times may be function of:– Plaintext, Ciphertext– Keys
• Adversary can observe timing in different ways– Overall time– Processor cycles– Power consumption…
11
12
Timing Attacks on RSA• Fast exponentiation algorithm used for decryption
to compute CD mod n:result = 1for (i = 0 to number of bits in D - 1) { if (ith bit of D = 1) result = (result * C) mod n C = C2 mod n }
• Speed of decryption depends on number of 1’s in D– Each 1 requires additional multiplication operation– Each 0 skips that step
13
Timing Attacks on RSA• If adversary knows the following:
– Ciphertext C• Can compute how long it takes to multiply ciphertext and
compute mods • That is, how long a 1 or a 0 takes to decrypt
– Total time decryption takes• Can be observed
They could compute number of 1’s in private D• Given enough known plaintexts, can reliably guess D
completely
14
Timing Attacks on RSA• Darth infiltrates organization
– Requests secure data from database– Observes ciphertext– Times processor cycles required by decryption– Guesses properties of key
Fast exponentiation
C
P
15
Timing Attack Solutions
Solutions: • “Pad” algorithm so all decryptions take same time for (i = 0 to number of bits in D - 1) {
if (ith bit of D = 1) result = (result * C) mod n else garbageVariable = (result * C) mod n C = C2 mod n }
• Remove adversary’s ability to know the C used in the fast exponentiation (blinding)– Compute fast exponentiation on a value other than C– Use that value to recover the plaintext– Used by commercial versions of RSA
16
Blinding Timing Attacks• Algorithm:
– Select random r < modulus n– Compute C1 = C r E mod n – Compute P1 = C1
D mod n = (C r E )D mod n = (CD mod n r ED mod n ) mod n = (P r ) mod n – Compute P = (P1 r -1 ) mod n
fast exponentiation on value unknown to adversary
Factor out the original r
17
Timing Attacks• Based on implementation of algorithm, not
underlying mathematics• Any cryptosystem that has a component that takes
different time for different keys may be vulnerable
• Current research: AES– MixColumns stage uses matrix multiplication– More 0’s in state Faster matrix multiplication– May be able to recover intermediate states based on run
time
Related Documents
