On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.

Slides:

Advertisements

Similar presentations

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Advertisements

Some New RSA Mechanisms for PKCS #11 Burt Kaliski, RSA Laboratories PKCS Workshop April 14, 2003.

Cryptography and Network Security

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

A Designer’s Guide to KEMs Alex Dent

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Lecture 23 Symmetric Encryption

CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Lecture 3: Cryptographic Tools modified from slides of Lawrie Brown.

Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.

The RSA Algorithm Rocky K. C. Chang, March

© Neeraj Suri EU-NSF ICT March 2006 DEWSNet Dependable Embedded Wired/Wireless Networks MUET Jamshoro Computer Security: Principles and Practice Slides.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Status of Draft ANSI X9.44 (& More) Burt Kaliski and Jakob Jonsson RSA Laboratories NIST Key Management Workshop November 1–2, 2001 (Rev. November 6, 2001)

Digital Signatures: Mathematics Zdeněk Říha. Data authentication Data integrity + data origin Digital signature Asymmetric cryptography public and private.

Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.

Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.

Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

PKCS #1 v2.1: RSA Cryptography Standard

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.

RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.

Honey Encryption: Security Beyond the Brute-Force Bound

Chapter 21 Public-Key Cryptography and Message Authentication.

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.

1 September, 2002 doc:.: /386r0 Daniel V. Bailey, William Whyte, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal.

1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.

Cryptography and Network Security Chapter 9 - Public-Key Cryptography

Dan Boneh Public Key Encryption from trapdoor permutations PKCS 1 Online Cryptography Course Dan Boneh.

Cryptography Lecture 11 Stefan Dziembowski

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.

Some Perspectives on Smart Card Cryptography

3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.

CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.

Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes.

Cryptographic Hash Functions and Protocol Analysis

Lecture 2: Introduction to Cryptography

PKCS #1 v2.1: RSA Cryptography Standard Burt Kaliski, RSA Laboratories PKCS Workshop, 5 October 2000.

Lecture 23 Symmetric Encryption

Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.

PKCS #5: Password-Based Cryptography Standard

Tae-Joon Kim Jong yun Jun

ANSI X9.44 and IETF TLS Russ Housley and Burt Kaliski RSA Laboratories November 2002.

RSA Data Security, Inc. PKCS #13: Elliptic Curve Cryptography Standard Burt Kaliski RSA Laboratories PKCS Workshop October 7, 1998.

PKCS #5 v2.0: Password-Based Cryptography Standard

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.

RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography Burt Kaliski Chief Scientist, RSA Laboratories BRICS Summer School in Cryptology.

RSA Laboratories’ PKCS Series - a Tutorial

Attacks on Public Key Encryption Algorithms

Dan Brown, Certicom Research November 10, 2004

RSA Digital Signature Standards

Cryptography Lecture 26.

Cryptography Lecture 12.

Cryptography Lecture 12.

Cryptography Lecture 22.

Diffie-Hellman Key Exchange

Cryptography Lecture 25.

Presentation transcript:

On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000

Presentation Goals and Scope  Discuss futures for RSA-based encryption and signature for CMS and S/MIME: Current practice based on PKCS #1 v1.5 (RFC-2313) New techniques reflect advancing state-of-art PKCS #1 v2.0 (RFC-2437) incorporates OAEP encryption method, referenced by draft-ietf-smime-cms-rsaes-oaep-02.txt Work underway on PSS signature method  Emphasizing characteristics, rationale, and status, not cryptomathematics

PKCS #1: History and Status  PKCS #1 v1.5 (November 1993) defines encryption and signature facilities with ad hoc padding  PKCS #1 v2.0 (October 1998) defends against encryption padding attacks (e.g., Bleichenbacher) with Optimal Asymmetric Encryption Padding (OAEP)  PKCS #1 v2.1 (draft, September 1999; 2nd draft in preparation) provides analogous defense against potential signature attacks with Probabilistic Signature Scheme (PSS)  Availability: Informational RFCs 2313 (v1.5), 2437 (v2.0),

PKCS #1 (v1.5): Padding Formats and Usage  Sign: 01 || ff … ff || 00 || DER(HashAlgID,Hash(M))  Encrypt: 02 || pseudorandom PS || 00 || M  Ad hoc design  Widely deployed, incorporated in many Internet standards, such as: PKIX profile TLS IPSEC S/MIME

Bleichenbacher attack on PKCS #1 v1.5 encryption padding  Adaptive chosen ciphertext attack (1998) needs information from 100,000s of decryptions, indicating whether correct padding resulted successful attack yields result of a specific decryption  Countermeasures include protocol-level means to ensure that information on decryptions isn’t available to attacker constraints on returned information randomize key, continue upon detected pad error improved, plaintext-aware padding (e.g., OAEP) in cryptographic layer to prevent attack  More detailed discussion: RSA Laboratories Bulletin #7 in

OAEP Properties  Technique originally published by Bellare and Rogaway, 1994 Recent theoretical results on strengths and assumptions of OAEP proofs discussed in cryptographic research community; properties remain strong for use with RSA  OAEP offers attractive properties, in random oracle model: Provably secure can tie security to strength of the RSA function Plaintext-aware, given suitable construction “can’t” generate valid ciphertext without knowing the plaintext chosen-ciphertext attacks are ineffective

RSAES-OAEP Steps  Encrypt (public key, message M, encoding parameters P): encoded message EM = EME-OAEP-Encode (M, P) ciphertext C = RSAEP (public key, EM)  Decrypt (private key, C, P): EM = RSADP (private key, C) M = EME-OAEP-Decode (EM, P)  M, C bounded, P arbitrary length (and empty by default in S/MIME proposal)  Encoding includes masked data, masked random seed

The EME-OAEP-Encode Step

And, in the signature column, PSS...  What if PKCS #1 v1.5 signatures found weak? Like PKCS #1 v1.5 encryption, no proof of security, though design is well motivated, supported by analysis exploitable attack would be surprising — but experience demonstrates that cryptanalytic advances are unpredictable  Like OAEP, PSS offers provably secure design by Bellare and Rogaway

Block Diagram of Proposed PSS Encoding Operation 00 … 01salt DB  MGF(H) H Hash M 00 … 00Hash(M)salt MGF bc xor

Patent Issues  No patents known for OAEP technique as proposed for S/MIME patents could apply to some uses of optional encoding parameters  PSS encoding method is patent pending by University of California UC agreed to waive licensing on PSS for signatures with appendix if adopted in IEEE standard; agreed for ANSI X9F1, ISO/IEC, NESSIE as well for signatures with message recovery (PSS-R variant) “reasonable and nondiscriminatory licensing”

Status of OAEP and PSS in Other Standards Forums  OAEP is stable; being included compatibly in multiple specifications in PKCS #1 v2.0 in IEEE P1363, being incorporated in ANSI X9.44  Standardization of PSS being pursued in several forums; detailed alignment ongoing To be included in IEEE P1363a, PKCS #1 v2.1 Intent in ANSI X9F1 to reopen X9.31 to incorporate PSS Revision in progress to include PSS-R in ISO

Proposed Approach  Short term: Support both PKCS #1 v. 1.5 and OAEP encryption, along with RSA algorithm MUSTs? S/MIME MUST for PKCS #1 v. 1.5, SHOULD for OAEP? OAEP MUST or SHOULD for interactive CMS-based applications?  Longer term: Move toward PSS signatures? upgrade in due course — e.g., along with AES algorithm, new hash functions?