Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacks on Digital Signature Algorithm: RSA

Similar presentations

Presentation on theme: "Attacks on Digital Signature Algorithm: RSA"— Presentation transcript:

1 Attacks on Digital Signature Algorithm: RSA
John Nguyen

2 RSA as a Digital Signature Algorithm
The need for digital signature: online banking, routable forms… Requirement: something uniquely identify oneself, and people can verify that unique identification. RSA is a public key cryptography which offers that need. Private key to sign the message. Public key to verify the signature.

3 RSA A public key algorithm Easy to understand and implement
Popular, used by numerous companies such as Motorola and Adobe in its Acrobat product. De facto standard in much of the world.

4 RSA Algorithm Choose 2 large prime numbers p and q
Then compute: n = pq Choose e such that e and (p-1)(q-1) are relatively prime. key d can be computed by using extended Euclidean algorithm: ed ≡ 1 mod (p-1)(q-1)

5 RSA Encrytion Public key: n and e Private key: d Encrypting:
c = me mod n Decrypting: m = cd mod n Digital signature: c = md mod n (signing) m = ce mod n (verification)

6 Proof cd = (me)d (mod n) = med = mk(p-1)(q-1) + 1 = mmk(p-1)(q-1)
mk(p-1)(q-1) = mk(n) = m* 1 (Euler’s generalization of Fermat’s little theorem)

7 Security of RSA Factoring n is the most obvious attack.
Difficult Factoring techonology: best 129-decimal-digital modulus N must be larger than that to be secure Guessing value of (p-1)(q-1), but the difficulty is the same as factoring n Common attacks against RSA’s implementation: attack against the protocol, not the basic algorithm.

8 Chosen Cipher Attack against RSA
Eve: attacker, Alice: user Eve got c encrypted by Alice’s public key. Eve wants to read plaintext m from c. Mathematically, Eve needs d: m = cd, but Eve does not know d. Eve decided to figure out m without first knowing exactly what d is.

9 Chosen Ciphertext attack…
Eve chooses a random number r (r < n), then compute: x = re mod n y = xc mod n t = r-1 mod n Eve gets Alice to sign y with her private key, therefore decrypting y. Alice sends Eve: u = yd mod n Eve computes, and get m: tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m

10 Prevent against this chosen ciphertext attack
Signing and encrypting (& decrypting) are 2 different things. They can be done separately. 1 set of keys for signing and verification. 1 set of keys for decrypting and encrypting. Sign on a one-way hash of message, not the message. Signing will not decrypt the message, so Eve can not figure out m

11 Attack on Encrypting and Signing with RSA
Alice sends a message m to Bob She encrypts m with Bob public key, then signs with her private key: (meB mod nB)dA mod nA Bob can claim that Alice sent him m’, not m. He can find x, such that: m’x = m mod n If he can publish xeB replace old eB

12 To prevent this attack…
Assign each user fixed keys Usually be done by third party: VeriSign… Moreover, common good practice: sign first, encrypt later.

Download ppt "Attacks on Digital Signature Algorithm: RSA"

Similar presentations

Ads by Google