Attacks on Public Key Encryption Algorithms

Slides:



Advertisements
Similar presentations
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Advertisements

Public Key Encryption Algorithm
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
Public Encryption: RSA
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Public Key Algorithms 4/17/2017 M. Chatterjee.
Diffie-Hellman Key Exchange
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Database Key Management CSCI 5857: Encoding and Encryption.
Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Elgamal Public Key Encryption CSCI 5857: Encoding and Encryption.
Cryptography: RSA & DES Marcia Noel Ken Roe Jaime Buccheri.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Private-Key Cryptography  traditional private/secret/single key cryptography uses one key  shared by both sender and receiver  if this key is disclosed.
Public-Key Encryption
1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Computer Security Lecture 5 Ch.9 Public-Key Cryptography And RSA Prepared by Dr. Lamiaa Elshenawy.
Introduction to Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Lecture 3 (Chapter 9) Public-Key Cryptography and RSA Prepared by Dr. Lamiaa M. Elshenawy 1.
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
RSA Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Elgamal Public Key Encryption CSCI 5857: Encoding and Encryption.
Message Authentication Codes CSCI 5857: Encoding and Encryption.
@Yuan Xue CS 285 Network Security Public-Key Cryptography Yuan Xue Fall 2012.
Revision. Cryptography depends on some properties of prime numbers. One of these is that it is rather easy to generate large prime numbers, but much harder.
Cryptography By: Nick Belhumeur. Overview What is Cryptography? What is Cryptography? 2 types of cryptosystems 2 types of cryptosystems Example of Encryption.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Public Key Cryptography
Database Key Management
CS480 Cryptography and Information Security
Asymmetric-Key Cryptography
Basics of Cryptography
Asymmetric-Key Cryptography
RSA and El Gamal Cryptosystems
Public-key Cryptography
History and Background Part 3: Polyalphabetic Ciphers
Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptography, part 2.
Cryptography Lecture 26.
CS/COE 1501 Recitation RSA Encryption/Decryption
Real-world Security of Public Key Crypto
Security through Encryption
PART VII Security.
Cryptography: Basics (2)
NET 311 Information Security
Introduction to Elliptic Curve Cryptography
Symmetric-Key Cryptography
PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9
Introduction to Cryptography
Cryptography Lecture 22.
Security: Public Key Cryptography
Diffie-Hellman Key Exchange
Cryptography Lecture 25.
Presentation transcript:

Attacks on Public Key Encryption Algorithms CSCI 5857: Encoding and Encryption

Outline Short message attacks Timing attacks Optimal Asymmetric Encryption Padding Timing attacks Blinding against timing attacks

Short Message Attacks Typical use of public key algorithm: Generating short messages Symmetric keys (used then to send rest of message) Social security numbers, etc. Idea: Adversary acquires public key E, n Uses them to encrypt all possible messages that may be sent (plausible if messages are short enough!) and stores in table Intercepts encrypted message C and searches for match in the table Adversary can recover plaintext without decryption key!

Short Message Attack Example (1) Example: Darth knows that Bob will use Alice’s public key to send her a Social Security Number (9 digits)

Short Message Attack Example (2) Darth uses Alice’s public key KPU to encrypt all possible Social Security Numbers (only a billion)

Short Message Attack Example (3) Darth intercepts Bob’s SSN encrypted with Alice’s public key Searches for match in table of encrypted values

Short Message Attack Solutions Solution: Pad message to M bits M large enough so adversary can’t generate all 2M possible messages (extra bits must be randomly chosen) Can’t just add extra bits to end – still possibly vulnerable Optimal Asymmetric Encryption Padding (OAEP) Additional bits used as “mask” to conceal plaintext Mask generated randomly Mask data sent as part of encrypted message for decryption Based on cryptographic hash (more later)

Optimal Asymmetric Encryption Padding Message padded to m bits Random bits r mask padded message Run through hash function G XOR’d with padded message to give P1 Masked message mask random bits Masked message run through hash function H XOR’d with random bits to give P2 Masked message and random bits (P1 and P2) encrypted and sent

OAEP Decryption Decryption: Ciphertext decrypted to get masked message and random bits (P1 and P2) Masked message P1 run through hash function H and XOR’d with P2 to recover r r run through hash function G and XOR’d with P1 to recover original padded plaintext

Timing Attacks Encryption/decryption times may not be constant for all algorithms Times may be function of: Plaintext, Ciphertext Keys Adversary can observe timing in different ways Overall time Processor cycles Power consumption…

Fast Modular Exponentiation Fast modular exponentiation algorithm used for decryption to compute CD mod n: result = 1 for (i = 0 to number of bits in D - 1) { if (ith bit of D = 1) result = (result * C) mod n C = C2 mod n } Speed of decryption depends on number of 1’s in binary key D Each 1 requires additional multiplication operation Each 0 skips that step

Timing Attacks to Recover Key If adversary knows the following: Ciphertext C Can compute how long it takes to multiply ciphertext and compute mods That is, how long a 1 or a 0 takes to decrypt Total time decryption takes They could compute number of 1’s in private D Given enough known plaintexts, can reliably guess D completely

Timing Attacks on RSA Darth infiltrates organization Requests secure data from database Observes ciphertext Times processor cycles required by decryption Guesses properties of key

Timing Attack Solutions “Pad” algorithm so all decryptions take same time for (i = 0 to number of bits in D - 1) { if (ith bit of D = 1) result = (result * C) mod n else garbageVariable = (result * C) mod n C = C2 mod n } Disadvantage: All decryptions now run no faster than the worst possible case

Blinding Solution Attacker cannot reliably perform timing attack unless they know the C value being decrypted Remove attacker’s ability to know the C used in the fast modular exponentiation Compute fast exponentiation on a value other than C Use that value to recover the plaintext Used by commercial versions of RSA

Blinding Timing Attacks Algorithm: Select random r < modulus n Compute C1 = C  r E mod n Compute P1 = C1D mod n = (C  r E )D mod n = (CD mod n  r ED mod n ) mod n = (P  r ) mod n Compute P = (P1  r -1 ) mod n

Timing Attacks on Other Ciphers Based on implementation of algorithm, not underlying mathematics Any cryptosystem that has a component that takes different time for different keys may be vulnerable Current research: AES MixColumns stage uses matrix multiplication More 0’s in state  Faster matrix multiplication May be able to recover intermediate states based on run time

What’s Next Let me know if you have any questions Continue on to the next lecture on Elgamal Public Key Encryption

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.