attacks on the rsa algorithm
Post on 23-Feb-2016
104 Views
Preview:
DESCRIPTION
TRANSCRIPT
Public Key Encryption and the RSA Public Key Algorithm
CSCI 5857: Encoding and Encryption
2
Outline• Short message attacks
– Generating all possible messages with the public key
• Timing attacks– Guessing private key based on
decryption run time
Apply to many encryption algorithms
3
Mathematical Attacks• Based on finding fast ways to solve underlying
mathematics– Factorization– Discrete Logarithms
Unsolved at this point
• Recommendations:– Large p and q (at least 1024 bits)– Don’t reuse same n too many times– Large E (at least 216+1)
4
Short Message Attacks• Typical use of public key algorithm:
Generating short messages– Symmetric keys (used then to send rest of message)– Social security numbers, etc.
• Idea:– Adversary acquires public key E, n– Uses them to encrypt all possible messages that may be sent
(plausible if messages are short enough!) and stores in table– Intercepts encrypted message C and searches for match in the
table
Adversary can recover plaintext without decryption key!
5
Short Message Attack• Example:
Darth knows that Bob will use Alice’s public key to send her a Social Security Number (9 digits)
Alice’s KPU
Darth finds Alice’s public key KPU
6
Short Message Attack
• Darth uses Alice’s public key KPU to encrypt all possible Social Security Numbers (only a billion)
Alice’s KPU000-00-0000…298-76-8466298-76-8467298-76-8468…999-99-9999
jk34jk234n…98nnsap43j290u9kjwnlkmqwe844…Jbn29q004s
7
Short Message Attack• Darth intercepts Bob’s SSN encrypted with Alice’s public key• Searches for match in table of encrypted values
000-00-0000
…
298-76-8466
298-76-8467
298-76-8468
…
999-99-9999
jk34jk234n
…
98nnsap43
j290u9kjwn
lkmqwe844
…
Jbn29q004s
j290u9kjwn
Message matches thisencrypted value So this must be the
corresponding plaintext value
8
Short Message Attacks• Solution: Pad message to M bits
– M large enough so adversary can’t generate all 2M possible messages
– Can’t just add extra bits to end – still possibly vulnerable
• Optimal Asymmetric Encryption Padding (OAEP)– Additional bits used as “mask” to conceal plaintext
• Mask generated randomly• Mask data sent as part of encrypted message for decryption
– Based on cryptographic hash (more later)
9
Optimal Asymmetric Encryption Padding
Encryption:• Message padded to m bits• Random bits r mask padded message
– Run through hash function G– XOR’d with padded message to give P1
• Masked message mask random bits– Masked message run through hash function H– XOR’d with random bits to give P2
• Masked message and random bits (P1 and P2) encrypted and sent
• Key: One-way hash functions make it impossible to recover r from P2
10
Optimal Asymmetric Encryption Padding
Decryption:• Ciphertext decrypted to get
masked message and random bits (P1 and P2)
• Masked message P1 run through hash function H and XOR’d with P2 to recover r
• r run through hash function G and XOR’d with P1 to recover original padded plaintext
Timing Attacks
• Encryption/decryption times may not be constant for all algorithms
• Times may be function of:– Plaintext, Ciphertext– Keys
• Adversary can observe timing in different ways– Overall time– Processor cycles– Power consumption…
11
12
Timing Attacks on RSA• Fast exponentiation algorithm used for decryption
to compute CD mod n:result = 1for (i = 0 to number of bits in D - 1) { if (ith bit of D = 1) result = (result * C) mod n C = C2 mod n }
• Speed of decryption depends on number of 1’s in D– Each 1 requires additional multiplication operation– Each 0 skips that step
13
Timing Attacks on RSA• If adversary knows the following:
– Ciphertext C• Can compute how long it takes to multiply ciphertext and
compute mods • That is, how long a 1 or a 0 takes to decrypt
– Total time decryption takes• Can be observed
They could compute number of 1’s in private D• Given enough known plaintexts, can reliably guess D
completely
14
Timing Attacks on RSA• Darth infiltrates organization
– Requests secure data from database– Observes ciphertext– Times processor cycles required by decryption– Guesses properties of key
Fast exponentiation
C
P
15
Timing Attack Solutions
Solutions: • “Pad” algorithm so all decryptions take same time for (i = 0 to number of bits in D - 1) {
if (ith bit of D = 1) result = (result * C) mod n else garbageVariable = (result * C) mod n C = C2 mod n }
• Remove adversary’s ability to know the C used in the fast exponentiation (blinding)– Compute fast exponentiation on a value other than C– Use that value to recover the plaintext– Used by commercial versions of RSA
16
Blinding Timing Attacks• Algorithm:
– Select random r < modulus n– Compute C1 = C r E mod n – Compute P1 = C1
D mod n = (C r E )D mod n = (CD mod n r ED mod n ) mod n = (P r ) mod n – Compute P = (P1 r -1 ) mod n
fast exponentiation on value unknown to adversary
Factor out the original r
17
Timing Attacks• Based on implementation of algorithm, not
underlying mathematics• Any cryptosystem that has a component that takes
different time for different keys may be vulnerable
• Current research: AES– MixColumns stage uses matrix multiplication– More 0’s in state Faster matrix multiplication– May be able to recover intermediate states based on run
time
top related