Attacks on Digital Signature Algorithm RSA John Nguyen

  • Slides: 12
Download presentation
Attacks on Digital Signature Algorithm: RSA John Nguyen

Attacks on Digital Signature Algorithm: RSA John Nguyen

RSA as a Digital Signature Algorithm The need for digital signature: online banking, routable

RSA as a Digital Signature Algorithm The need for digital signature: online banking, routable forms… n Requirement: something uniquely identify oneself, and people can verify that unique identification. n RSA is a public key cryptography which offers that need. n Private key to sign the message. n Public key to verify the signature. n

RSA A public key algorithm n Easy to understand implement n Popular, used by

RSA A public key algorithm n Easy to understand implement n Popular, used by numerous companies such as Motorola and Adobe in its Acrobat product. n De facto standard in much of the world. n

RSA Algorithm Choose 2 large prime numbers p and q n Then compute: n

RSA Algorithm Choose 2 large prime numbers p and q n Then compute: n = pq n Choose e such that e and (p-1)(q-1) are relatively prime. n key d can be computed by using extended Euclidean algorithm: ed ≡ 1 mod (p-1)(q-1) n

RSA Encrytion n Public key: n and e Private key: d Encrypting: c =

RSA Encrytion n Public key: n and e Private key: d Encrypting: c = me mod n n Decrypting: m = cd mod n n Digital signature: n n c = md mod n (signing) m = ce mod n (verification)

Proof cd = (me)d (mod n) = med = mk(p-1)(q-1) + 1 = mmk(p-1)(q-1)

Proof cd = (me)d (mod n) = med = mk(p-1)(q-1) + 1 = mmk(p-1)(q-1) = m *1 = m n mk(p-1)(q-1) = mk (n) = m* 1 (Euler’s generalization of Fermat’s little theorem) n

Security of RSA n Factoring n is the most obvious attack. n n n

Security of RSA n Factoring n is the most obvious attack. n n n Difficult Factoring techonology: best 129 -decimal-digital modulus N must be larger than that to be secure Guessing value of (p-1)(q-1), but the difficulty is the same as factoring n Common attacks against RSA’s implementation: attack against the protocol, not the basic algorithm.

Chosen Cipher Attack against RSA Eve: attacker, Alice: user n Eve got c encrypted

Chosen Cipher Attack against RSA Eve: attacker, Alice: user n Eve got c encrypted by Alice’s public key. Eve wants to read plaintext m from c. n Mathematically, Eve needs d: m = cd, but Eve does not know d. n Eve decided to figure out m without first knowing exactly what d is. n

Chosen Ciphertext attack… n Eve chooses a random number r (r < n), then

Chosen Ciphertext attack… n Eve chooses a random number r (r < n), then compute: x = re mod n y = xc mod n t = r-1 mod n n Eve gets Alice to sign y with her private key, therefore decrypting y. Alice sends Eve: u = yd mod n Eve computes, and get m: tu mod n = r-1 yd mod n = r-1 xdcd mod n = m

Prevent against this chosen ciphertext attack Signing and encrypting (& decrypting) are 2 different

Prevent against this chosen ciphertext attack Signing and encrypting (& decrypting) are 2 different things. n They can be done separately. n 1 set of keys for signing and verification. n 1 set of keys for decrypting and encrypting. n Sign on a one-way hash of message, not the message. n Signing will not decrypt the message, so Eve can not figure out m n

Attack on Encrypting and Signing with RSA Alice sends a message m to Bob

Attack on Encrypting and Signing with RSA Alice sends a message m to Bob n She encrypts m with Bob public key, then signs with her private key: n (me. B mod n. B)d. A mod n. A Bob can claim that Alice sent him m’, not m. n He can find x, such that: n m’x = m mod n n If he can publish xe. B replace old e. B

To prevent this attack… Assign each user fixed keys n Usually be done by

To prevent this attack… Assign each user fixed keys n Usually be done by third party: Veri. Sign… n Moreover, common good practice: sign first, encrypt later. n