Cryptography CS 555 Topic 31 RSA Attacks Fixes

  • Slides: 24
Download presentation
Cryptography CS 555 Topic 31: RSA Attacks + Fixes 1

Cryptography CS 555 Topic 31: RSA Attacks + Fixes 1

Recap • CPA/CCA Security for Public Key Crypto • Key Encapsulation Mechanism • El-Gamal

Recap • CPA/CCA Security for Public Key Crypto • Key Encapsulation Mechanism • El-Gamal 2

Recap • 3

Recap • 3

Recap RSA-Assumption • 4

Recap RSA-Assumption • 4

(Review) Attacks on Plain RSA • We have not introduced security models like CPA-Security

(Review) Attacks on Plain RSA • We have not introduced security models like CPA-Security or CCA-security for Public Key Cryptosystems • However, notice that (Plain) RSA Encryption is stateless and deterministic. Plain RSA is not secure against chosen-plaintext attacks • Plain RSA is also highly vulnerable to chosen-ciphertext attacks • • Attacker intercepts ciphertext c of secret message m Attacker generates ciphertext c’ for secret message 2 m Attacker asks for decryption of c’ to obtain 2 m Divide by 2 to recover original message m 5

(Plain) RSA Discussion • However, notice that (Plain) RSA Encryption is stateless and deterministic.

(Plain) RSA Discussion • However, notice that (Plain) RSA Encryption is stateless and deterministic. Plain RSA is not secure against chosen-plaintext attacks • In a public key setting the attacker does have access to an encryption oracle • Encrypted messages with low entropy are vulnerable to a brute-force attack. • If m < B then attacker can recover m after at most B queries to encryption oracle (using public key) 6

Recovering Encrypted Message faster than Brute-Force • 7

Recovering Encrypted Message faster than Brute-Force • 7

Recovering Encrypted Message faster than Brute-Force • 8

Recovering Encrypted Message faster than Brute-Force • 8

More Weaknesses: Plain RSA with small e • 9

More Weaknesses: Plain RSA with small e • 9

More Attacks: Encrypting Related Messages • 10

More Attacks: Encrypting Related Messages • 10

More Attacks: Encrypting Related Messages • 11

More Attacks: Encrypting Related Messages • 11

Sending the Same Message to Multiple Receivers • 12

Sending the Same Message to Multiple Receivers • 12

Sending the Same Message to Multiple Receivers • 13

Sending the Same Message to Multiple Receivers • 13

Apply GCD to Pairs of RSA Moduli? • 14

Apply GCD to Pairs of RSA Moduli? • 14

Dependent Keys Part 1 • 15

Dependent Keys Part 1 • 15

Dependent Keys Part 2 • 16

Dependent Keys Part 2 • 16

Dependent Keys Part 2 • 17

Dependent Keys Part 2 • 17

RSA-OAEP (Optimal Asymmetric Encryption Padding) • 18

RSA-OAEP (Optimal Asymmetric Encryption Padding) • 18

RSA-OAEP (Optimal Asymmetric Encryption Padding) Theorem: If we model G and H as Random

RSA-OAEP (Optimal Asymmetric Encryption Padding) Theorem: If we model G and H as Random oracles then RSA-OAEP is a CCA-Secure public key encryption scheme. Bonus: One of the fastest in practice! 19

PKCS #1 v 2. 0 • Implementation of RSA-OAEP • James Manger found a

PKCS #1 v 2. 0 • Implementation of RSA-OAEP • James Manger found a chosen-ciphertext attack. • What gives? 20

PKCS #1 v 2. 0 (Bad Implementation) • 21

PKCS #1 v 2. 0 (Bad Implementation) • 21

PKCS #1 v 2. 0 (Attack) • 22

PKCS #1 v 2. 0 (Attack) • 22

Another Side Channel Attack on RSA • 23

Another Side Channel Attack on RSA • 23

Next Class: Digital Signatures Part 1 • Read Katz and Lindell: 12. 1 -12.

Next Class: Digital Signatures Part 1 • Read Katz and Lindell: 12. 1 -12. 3 24

RSA Implementation Attacks RSA Attacks 1 RSA qRSA Implementation Attacks RSA Attacks 1 RSA q
RSA Implementation Attacks RSA Attacks 1 RSA oRSA Implementation Attacks RSA Attacks 1 RSA o
Cryptography CS 555 Week 10 RSA Attacks onCryptography CS 555 Week 10 RSA Attacks on
555 timer 555 timer What is the 555555 timer 555 timer What is the 555
Cryptography CS 555 Topic 17 Textbook RSA encryptionCryptography CS 555 Topic 17 Textbook RSA encryption
Cryptography CS 555 Topic 18 RSA Implementation andCryptography CS 555 Topic 18 RSA Implementation and
RSA Secur ID OTP RSA Security OTP RSARSA Secur ID OTP RSA Security OTP RSA
RSA 9 1977 RSA Shamir Rivest Adleman RSARSA 9 1977 RSA Shamir Rivest Adleman RSA
Cryptography CS 555 Week 13 More Plain RSACryptography CS 555 Week 13 More Plain RSA
PKCS 1 RSA Cryptography Standard Jessica Staddon RSAPKCS 1 RSA Cryptography Standard Jessica Staddon RSA
Public Key Cryptography and the RSA Algorithm CryptographyPublic Key Cryptography and the RSA Algorithm Cryptography
Public Key Cryptography and the RSA Algorithm CryptographyPublic Key Cryptography and the RSA Algorithm Cryptography
RSA Ramki Thurimella PublicKey Cryptography Symmetric cryptography sameRSA Ramki Thurimella PublicKey Cryptography Symmetric cryptography same
Applied Cryptography Public Key RSA Public Key CryptographyApplied Cryptography Public Key RSA Public Key Cryptography
Public Key Cryptography and the RSA Algorithm CryptographyPublic Key Cryptography and the RSA Algorithm Cryptography
Public Key Cryptography and the RSA Algorithm CryptographyPublic Key Cryptography and the RSA Algorithm Cryptography
Resourcebased Attacks Attacking Networks ResourceBased Attacks Resourcebased attacksResourcebased Attacks Attacking Networks ResourceBased Attacks Resourcebased attacks
Cryptography CS 555 Topic 24 Finding Prime NumbersCryptography CS 555 Topic 24 Finding Prime Numbers
Cryptography CS 555 Topic 25 Quantum Crpytography CSCryptography CS 555 Topic 25 Quantum Crpytography CS
Cryptography CS 555 Topic 11 Authenticated Encryption CCASecurityCryptography CS 555 Topic 11 Authenticated Encryption CCASecurity
Cryptography CS 555 Topic 3 Onetime Pad andCryptography CS 555 Topic 3 Onetime Pad and
Cryptography CS 555 Topic 6 Number Theory BasicsCryptography CS 555 Topic 6 Number Theory Basics
Cryptography CS 555 Topic 9 Block Cipher ConstructionCryptography CS 555 Topic 9 Block Cipher Construction