Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes.

Published bySabrina Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes."— Presentation transcript:

1 Rennes, 02/10/2014 Cristina Onete maria-cristina.onete@irisa.fr Attacks on RSA. Safe modes.

2  From the previous lecture… p, q, n:=pq B Secret Cristina Onete || 25/09/2014 || 2

3  Textbook RSA (V)  Security: Is encryption secure? Deterministic Cristina Onete || 25/09/2014 || 3

4  Textbook RSA (VI)  Security: Encryption is deterministic: Can always distinguish m from m’ Not guaranteed if few possible messages Try out all alternatives – find plaintext Not very secure; but we can improve it Cristina Onete || 25/09/2014 || 4

5  Textbook RSA ++  Improving Textbook RSA: Secret pre-processing RSA encryption pre-processing Security will depend on this step Cristina Onete || 25/09/2014 || 5

6  PKCS and Bleichenbacher  Preprocessing with PKCS1, mode 2 Pad with random number (make it probabilistic) 02random padFFmessage 1024 bits Bleichenbacher ’98: use the regularity of the ciphertext (they must start with “00|02”) to recover plaintext! 00 Cristina Onete || 25/09/2014 || 6

7  PKCS and Bleichenbacher (II)  Core idea Decrypt Does m start with “00|02”? Continue ERROR! Is it PKCS? Repeat until you know rM starts with 00|02 Cristina Onete || 25/09/2014 || 7

8  Cristina Onete || 25/09/2014 || 8 Contents  Pre-processing How OAEP works Improvements on OAEP Hash Functions; Random Oracles (brief)  Attacks on factoring – generic  Unsafe modes for RSA Small sk: Wiener’s attack  Some physical attacks Small pk and related ciphertexts

9  The OAEP Function  A new pre-processing function: OAEP OAEP = Optimal Asymmetric Encryption Padding By Bellare & Rogaway, 1994; in RFC 2437 Cristina Onete || 25/09/2014 || 9 mpadr G H YX K = size of n=pq G,H = hash functions = bit XOR

10  Cristina Onete || 25/09/2014 || 10 The OAEP Function  In detail: OAEP mpadr G  Hash functions A box with input of any size, and output of fixed size

11  Cristina Onete || 25/09/2014 || 11 The OAEP Function  In detail: OAEP mpadr G  How it works: rG mpad = random

12  Cristina Onete || 25/09/2014 || 12 The OAEP Function  In detail: OAEP  How it works: H = H r r random

13  Cristina Onete || 25/09/2014 || 13 RSA-OAEP Decryption  How do we decrypt? mpadr G H YX

14  Cristina Onete || 25/09/2014 || 14 RSA-OAEP Decryption  How do we decrypt? H = r

15  Cristina Onete || 25/09/2014 || 15 RSA-OAEP Decryption  How do we decrypt? mpadr G H YX

16  Cristina Onete || 25/09/2014 || 16 RSA-OAEP Decryption  How do we decrypt? rG mpad =

17  Cristina Onete || 25/09/2014 || 17 RSA-OAEP Decryption  How do we decrypt? Check: pad has the right format

18  Cristina Onete || 25/09/2014 || 18 The OAEP Function  In detail: OAEP How about the padding? mpadr

19  Cristina Onete || 25/09/2014 || 19 Improving OAEP: SAEP mW(m,r)r H YX

20  Cristina Onete || 25/09/2014 || 20 Contents  Pre-processing How OAEP works Improvements on OAEP Hash Functions; Random Oracles (brief)  Generic attacks on factoring  Unsafe modes for RSA Small sk: Wiener’s attack  Some physical attacks Small pk and related ciphertexts

21  Cristina Onete || 25/09/2014 || 21 Attacks on RSA  For the remainder of this lecture We =  1 st goal:  Strategies:

22  Cristina Onete || 25/09/2014 || 22

23  Cristina Onete || 25/09/2014 || 23

24  Cristina Onete || 25/09/2014 || 24  Attack on factoring – bad (p-1)

25  Cristina Onete || 25/09/2014 || 25  Attack on factoring – bad (p-1) Start with definite upper bound:

26  Cristina Onete || 25/09/2014 || 26  Attack on factoring – bad (p-1)

27  Cristina Onete || 25/09/2014 || 27 Exercise time!

28  Cristina Onete || 25/09/2014 || 28 So far

29  Cristina Onete || 25/09/2014 || 29 So far

30  Cristina Onete || 25/09/2014 || 30  General factorization attack (are we lucky?)

31  Cristina Onete || 25/09/2014 || 31 Strategy: we compute: Choice: speed vs. storage Speed: Floyd’s cycle finding algorithm:

32  Cristina Onete || 25/09/2014 || 32 Floyd’s Cycle-Finding Alg. Source:http://home.online.no/~vlaenen/

33  Cristina Onete || 25/09/2014 || 33 Exercise time!  Put the method (with Floyd’s cycle-finding algorithm) in pseudocode/algorithm form!

34  Cristina Onete || 25/09/2014 || 34 Contents  Pre-processing How OAEP works Improvements on OAEP Hash Functions; Random Oracles (brief)  Generic attacks on factoring  Unsafe modes for RSA Small sk: Wiener’s attack  Some physical attacks Small pk and related ciphertexts

35  Cristina Onete || 25/09/2014 || 35 Unsafe Modes for RSA  Small public key

36  Cristina Onete || 25/09/2014 || 36 Unsafe Modes for RSA  Small public key If knows the relationship of the messages,  Recommended This leads to fast encryption

37  Cristina Onete || 25/09/2014 || 37 More Unsafe Modes  Small secret key Better for decryption: makes it more efficient Math “magic” Use: least common multiple LCM Divide by dpq

38  Cristina Onete || 25/09/2014 || 38 More Unsafe Modes  Small secret key Tend to 0 Continued fractions and some trial and error gives d

39  Cristina Onete || 25/09/2014 || 39 Physical Attacks  Implementation: Square and Multiply Standard way to do exponentiation Square AND Multiply Square i76543210 m

40  Cristina Onete || 25/09/2014 || 40 Physical Attacks  Implementation: Square and Multiply Time the operation and write out the order of ops  Timing attack: multiply takes longer than square M, Sq, Sq, M, Sq, Sq, M, Sq, M, Sq, Sq, M  Power attack: multiply burns more than square Source: http://www.dbs.com.hk/

41 CIDRE Thanks!

Download ppt "Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes."

Similar presentations

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.

 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.

Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.

MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.
The RSA Cryptosystem Dan Boneh Stanford University.

The RSA Cryptosystem Dan Boneh Stanford University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

Similar presentations

Ads by Google