# Attacks on Digital Signature Algorithm: RSA

## Presentation on theme: "Attacks on Digital Signature Algorithm: RSA"— Presentation transcript:

Attacks on Digital Signature Algorithm: RSA
John Nguyen

RSA as a Digital Signature Algorithm
The need for digital signature: online banking, routable forms… Requirement: something uniquely identify oneself, and people can verify that unique identification. RSA is a public key cryptography which offers that need. Private key to sign the message. Public key to verify the signature.

RSA A public key algorithm Easy to understand and implement
Popular, used by numerous companies such as Motorola and Adobe in its Acrobat product. De facto standard in much of the world.

RSA Algorithm Choose 2 large prime numbers p and q
Then compute: n = pq Choose e such that e and (p-1)(q-1) are relatively prime. key d can be computed by using extended Euclidean algorithm: ed ≡ 1 mod (p-1)(q-1)

RSA Encrytion Public key: n and e Private key: d Encrypting:
c = me mod n Decrypting: m = cd mod n Digital signature: c = md mod n (signing) m = ce mod n (verification)

Proof cd = (me)d (mod n) = med = mk(p-1)(q-1) + 1 = mmk(p-1)(q-1)
mk(p-1)(q-1) = mk(n) = m* 1 (Euler’s generalization of Fermat’s little theorem)

Security of RSA Factoring n is the most obvious attack.
Difficult Factoring techonology: best 129-decimal-digital modulus N must be larger than that to be secure Guessing value of (p-1)(q-1), but the difficulty is the same as factoring n Common attacks against RSA’s implementation: attack against the protocol, not the basic algorithm.

Chosen Cipher Attack against RSA
Eve: attacker, Alice: user Eve got c encrypted by Alice’s public key. Eve wants to read plaintext m from c. Mathematically, Eve needs d: m = cd, but Eve does not know d. Eve decided to figure out m without first knowing exactly what d is.

Chosen Ciphertext attack…
Eve chooses a random number r (r < n), then compute: x = re mod n y = xc mod n t = r-1 mod n Eve gets Alice to sign y with her private key, therefore decrypting y. Alice sends Eve: u = yd mod n Eve computes, and get m: tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m

Prevent against this chosen ciphertext attack
Signing and encrypting (& decrypting) are 2 different things. They can be done separately. 1 set of keys for signing and verification. 1 set of keys for decrypting and encrypting. Sign on a one-way hash of message, not the message. Signing will not decrypt the message, so Eve can not figure out m

Attack on Encrypting and Signing with RSA
Alice sends a message m to Bob She encrypts m with Bob public key, then signs with her private key: (meB mod nB)dA mod nA Bob can claim that Alice sent him m’, not m. He can find x, such that: m’x = m mod n If he can publish xeB replace old eB

To prevent this attack…
Assign each user fixed keys Usually be done by third party: VeriSign… Moreover, common good practice: sign first, encrypt later.