Presentation on theme: "Attacks on Digital Signature Algorithm: RSA"— Presentation transcript:
1 Attacks on Digital Signature Algorithm: RSA John Nguyen
2 RSA as a Digital Signature Algorithm The need for digital signature: online banking, routable forms…Requirement: something uniquely identify oneself, and people can verify that unique identification.RSA is a public key cryptography which offers that need.Private key to sign the message.Public key to verify the signature.
3 RSA A public key algorithm Easy to understand and implement Popular, used by numerous companies such as Motorola and Adobe in its Acrobat product.De facto standard in much of the world.
4 RSA Algorithm Choose 2 large prime numbers p and q Then compute: n = pqChoose e such that e and (p-1)(q-1) are relatively prime.key d can be computed by using extended Euclidean algorithm:ed ≡ 1 mod (p-1)(q-1)
5 RSA Encrytion Public key: n and e Private key: d Encrypting: c = me mod nDecrypting:m = cd mod nDigital signature:c = md mod n (signing)m = ce mod n (verification)
6 Proof cd = (me)d (mod n) = med = mk(p-1)(q-1) + 1 = mmk(p-1)(q-1) mk(p-1)(q-1) = mk(n) = m* 1 (Euler’s generalization of Fermat’s little theorem)
7 Security of RSA Factoring n is the most obvious attack. DifficultFactoring techonology: best 129-decimal-digital modulusN must be larger than that to be secureGuessing value of (p-1)(q-1), but the difficulty is the same as factoring nCommon attacks against RSA’s implementation: attack against the protocol, not the basic algorithm.
8 Chosen Cipher Attack against RSA Eve: attacker, Alice: userEve got c encrypted by Alice’s public key. Eve wants to read plaintext m from c.Mathematically, Eve needs d: m = cd, but Eve does not know d.Eve decided to figure out m without first knowing exactly what d is.
9 Chosen Ciphertext attack… Eve chooses a random number r (r < n), then compute:x = re mod ny = xc mod nt = r-1 mod nEve gets Alice to sign y with her private key, therefore decrypting y.Alice sends Eve: u = yd mod nEve computes, and get m:tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m
10 Prevent against this chosen ciphertext attack Signing and encrypting (& decrypting) are 2 different things.They can be done separately.1 set of keys for signing and verification.1 set of keys for decrypting and encrypting.Sign on a one-way hash of message, not the message.Signing will not decrypt the message, so Eve can not figure out m
11 Attack on Encrypting and Signing with RSA Alice sends a message m to BobShe encrypts m with Bob public key, then signs with her private key:(meB mod nB)dA mod nABob can claim that Alice sent him m’, not m.He can find x, such that:m’x = m mod nIf he can publish xeB replace old eB
12 To prevent this attack… Assign each user fixed keysUsually be done by third party: VeriSign…Moreover, common good practice: sign first, encrypt later.