The RSA Cryptosystem Dan Boneh Stanford University The
The RSA Cryptosystem Dan Boneh Stanford University
The RSA cryptosystem Ø First published: • Scientific American, Aug. 1977. (after some censorship entanglements) Ø Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, … 2
The RSA trapdoor 1 -to-1 function Ø Parameters: Ø 1 -to-1 function: RSA(M) = Me (mod N) Ø Trapdoor: N=pq. N 1024 bits. p, q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1. d – decryption exponent. Where d Ø Inversion: Ø (n, e, t, )-RSA Assumption: (mod N) Pr[ A(N, e, x) = x where M ZN* RSA(M) 1/e (N) : e d = 1 (mod (N) ) (N)+1 = Med = Mk =M For any t-time alg. A: R n-bit primes, p, q R * N pq, x Z N ]< 3
Textbook RSA is insecure Ø Textbook RSA encryption: • public key: (N, e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M ZN* ) Ø Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist. Ø The RSA trapdoor permutation is not a cryptosystem ! 4
A simple attack on textbook RSA Rando m sessionkey K Ø Ø Ø CLIENT HELLO Web Browser SERVER HELLO (e, N) C=RSA(K) Web Server d Session-key K is 64 bits. View K {0, …, 264} Eavesdropper sees: C = Ke (mod N). Suppose K = K 1 K 2 where K 1, K 2 < 234. (prob. 20%) Then: C/K 1 e = K 2 e (mod N) Build table: C/1 e, C/2 e, C/3 e, …, C/234 e. time: 234 For K 2 = 0, …, 234 test if K 2 e is in table. time: 234 34 Ø Attack time: 240 << 264 5
Common RSA encryption Ø Ø Never use textbook RSA in practice: Ø RSA ciphertext msg Preprocessing Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? 6
PKCS 1 V 1. 5 Ø PKCS 1 mode 2: (encryption) 16 bits 02 random pad FF msg 1024 bits Ø Resulting value is RSA encrypted. Ø Widely deployed in web servers and browsers. Ø No security analysis !! 7
Attack on PKCS 1 Ø Bleichenbacher 98. Chosen-ciphertext attack. Ø PKCS 1 used in SSL: Is this PKCS 1? 02 C= ciphertext d Web Server C Yes: continue No: error Attacker attacker can test if 16 MSBs of plaintext = ’ 02’. Ø Attack: to decrypt a given ciphertext C do: e • Pick r ZN. Compute C’ = = (r PKCS 1(M)). • Send C’ to web server and use response. re C 8
Chosen ciphertext security (CCS) Ø No efficient attacker can win the following game: (with non-negligible advantage) M 0 , M 1 Challenger C=E(Mb) b R{0, 1} Challenge Attacker C b’ {0, 1} Attacker wins if Decryption oracle b=b’ 9
PKCS 1 V 2. 0 - OAEP Ø New preprocessing function: OAEP (BR 94). M Check pad on decryption. Reject CT if invalid. 01 00. . 0 + H G Plaintext to encrypt Ø Ø rand. + with RSA {0, 1}n-1 Thm: RSA is trap-door permutation OAEP is CCS when H, G are “random oracles”. In practice: use SHA-1 or MD 5 for H and G. 10
OAEP Improvements Ø OAEP+: (Shoup’ 01) trap-door permutation F F-OAEP+ is CCS when H, G, W are “random oracles”. Ø SAEP+: (B’ 01) RSA trap-door perm RSA-SAEP+ is CCS when H, W are “random oracle”. M W(M, R) + R H + G M W(M, R) + R H 11
Subtleties in implementing OAEP [M ’ 00] OAEP-decrypt(C) { error = 0; if ( RSA-1(C) > 2 n-1 ) { error =1; goto exit; } if } ( pad(OAEP-1(RSA-1(C))) != “ 01000” ) { error = 1; goto exit; } Ø Problem: timing information leaks type of error. Attacker can decrypt any ciphertext C. Ø Lesson: Don’t implement RSA-OAEP yourself … 12
Part II: Is RSA a One-Way Function?
Is RSA a one-way permutation? Ø To invert the RSA one-way function (without d) attacker must compute: M Ø Ø from C = Me (mod N). How hard is computing e’th roots modulo N ? ? Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy) 14
Shortcuts? Ø Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring? Ø To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N efficient algorithm for factoring N. • Oldest problem in public key cryptography. Ø Evidence no reduction exists: (BV’ 98) • “Algebraic” reduction factoring is easy. • Unlike Diffie-Hellman (Maurer’ 94). 15
Improving RSA’s performance Ø To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener 87: if d < N 0. 25 then RSA is insecure. • BD’ 98: if d < N 0. 292 then RSA is insecure (open: d < N 0. 5 ) • Insecure: priv. key d can be found from (N, e). • Small d should never be used. 16
Wiener’s attack Ø Recall: e d = 1 (mod (N) ) k Z : e d = k (N) + 1 (N) = N-p-q+1 d N 0. 25/3 e (N) k d 1 d (N) |N- (N)| p+q 3 N e - k N d 1 2 d 2 Continued fraction expansion of e/N gives k/d. e d = 1 (mod k) gcd(d, k)=1 17
RSA With Low public exponent Ø To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N) Ø Minimal value: e=3 ( gcd(e, (N) ) = 1) Ø Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies. Ø Several weak attacks. Non known on RSA-OAEP. Ø Asymmetry of RSA: fast enc. / slow dec. • El. Gamal: approx. same time for both. 18
Implementation attacks Ø Ø Attack the implementation of RSA. Timing attack: (Kocher 97) The time it takes to compute Cd (mod N) can expose d. Power attack: (Kocher 99) The power consumption of a smartcard while it is computing Cd (mod N) can expose d. Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. Open. SSL defense: check output. 5% slowdown. 19
Key lengths Security of public key system should be comparable to security of block cipher. NIST: Ø Cipher key-size 64 bits 80 bits 128 bits 256 bits (AES) Ø Modulus size 512 bits. 1024 bits 3072 bits. 15360 bits High security very large moduli. Not necessary with Elliptic Curve Cryptography. 20
- Slides: 20