Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes.

Slides:



Advertisements
Similar presentations
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Advertisements

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
The RSA Cryptosystem Dan Boneh Stanford University.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
MD5 Message Digest Algorithm CS265 Spring 2003 Jerry Li Computer Science Department San Jose State University.
The RSA Cryptosystem Dan Boneh Stanford University.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Lecture 23 Symmetric Encryption
CS470, A.SelcukRSA1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques
Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.
Digital Signatures Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 7, 2013.
The RSA Algorithm Rocky K. C. Chang, March
Cryptography Lecture 8 Stefan Dziembowski
1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
RSA Data Security, Inc. PKCS #1 : RSA Cryptography Standard Jessica Staddon RSA Laboratories PKCS Workshop October 7, 1998.
Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski.
Day 37 8: Network Security8-1. 8: Network Security8-2 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key:
On OAEP, PSS, and S/MIME John Linn RSA Laboratories S/MIME WG, San Diego IETF, 13 December 2000.
1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and.
Dan Boneh Public Key Encryption from trapdoor permutations PKCS 1 Online Cryptography Course Dan Boneh.
Cryptography Lecture 11 Stefan Dziembowski
Software Security Seminar - 1 Chapter 10. Using Algorithms 조미성 Applied Cryptography.
Lecture 23 Symmetric Encryption
Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.
Public Key Algorithms Lesson Introduction ●Modular arithmetic ●RSA ●Diffie-Hellman.
Various Attacks on Cryptosystems slides (c) 2012 by Richard Newman.
Tae-Joon Kim Jong yun Jun
Computer Security Lecture 5 Ch.9 Public-Key Cryptography And RSA Prepared by Dr. Lamiaa Elshenawy.
Lecture 3 (Chapter 9) Public-Key Cryptography and RSA Prepared by Dr. Lamiaa M. Elshenawy 1.
COM 5336 Lecture 8 Digital Signatures
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
Lecture 6. RSA Use in Encryption to encrypt a message M the sender: – obtains public key of recipient PU={e,n} – computes: C = M e mod n, where 0≤M
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Problem Set 1: Cryptography.
CMSC 414 Computer (and Network) Security Lecture 3 Jonathan Katz.
RSA Laboratories’ PKCS Series - a Tutorial
Attacks on Public Key Encryption Algorithms
Topic 24: Finding Prime Numbers, RSA
Cryptography Lecture 26.
Block Ciphers (Crypto 2)
Cryptography Lecture 22.
Cryptography Lecture 25.
Counter Mode, Output Feedback Mode
Presentation transcript:

Rennes, 02/10/2014 Cristina Onete Attacks on RSA. Safe modes.

 From the previous lecture… p, q, n:=pq B Secret Cristina Onete || 25/09/2014 || 2

 Textbook RSA (V)  Security: Is encryption secure? Deterministic Cristina Onete || 25/09/2014 || 3

 Textbook RSA (VI)  Security: Encryption is deterministic: Can always distinguish m from m’ Not guaranteed if few possible messages Try out all alternatives – find plaintext Not very secure; but we can improve it Cristina Onete || 25/09/2014 || 4

 Textbook RSA ++  Improving Textbook RSA: Secret pre-processing RSA encryption pre-processing Security will depend on this step Cristina Onete || 25/09/2014 || 5

 PKCS and Bleichenbacher  Preprocessing with PKCS1, mode 2 Pad with random number (make it probabilistic) 02random padFFmessage 1024 bits Bleichenbacher ’98: use the regularity of the ciphertext (they must start with “00|02”) to recover plaintext! 00 Cristina Onete || 25/09/2014 || 6

 PKCS and Bleichenbacher (II)  Core idea Decrypt Does m start with “00|02”? Continue ERROR! Is it PKCS? Repeat until you know rM starts with 00|02 Cristina Onete || 25/09/2014 || 7

 Cristina Onete || 25/09/2014 || 8 Contents  Pre-processing How OAEP works Improvements on OAEP Hash Functions; Random Oracles (brief)  Attacks on factoring – generic  Unsafe modes for RSA Small sk: Wiener’s attack  Some physical attacks Small pk and related ciphertexts

 The OAEP Function  A new pre-processing function: OAEP OAEP = Optimal Asymmetric Encryption Padding By Bellare & Rogaway, 1994; in RFC 2437 Cristina Onete || 25/09/2014 || 9 mpadr G H YX K = size of n=pq G,H = hash functions = bit XOR

 Cristina Onete || 25/09/2014 || 10 The OAEP Function  In detail: OAEP mpadr G  Hash functions A box with input of any size, and output of fixed size

 Cristina Onete || 25/09/2014 || 11 The OAEP Function  In detail: OAEP mpadr G  How it works: rG mpad = random

 Cristina Onete || 25/09/2014 || 12 The OAEP Function  In detail: OAEP  How it works: H = H r r random

 Cristina Onete || 25/09/2014 || 13 RSA-OAEP Decryption  How do we decrypt? mpadr G H YX

 Cristina Onete || 25/09/2014 || 14 RSA-OAEP Decryption  How do we decrypt? H = r

 Cristina Onete || 25/09/2014 || 15 RSA-OAEP Decryption  How do we decrypt? mpadr G H YX

 Cristina Onete || 25/09/2014 || 16 RSA-OAEP Decryption  How do we decrypt? rG mpad =

 Cristina Onete || 25/09/2014 || 17 RSA-OAEP Decryption  How do we decrypt? Check: pad has the right format

 Cristina Onete || 25/09/2014 || 18 The OAEP Function  In detail: OAEP How about the padding? mpadr

 Cristina Onete || 25/09/2014 || 19 Improving OAEP: SAEP mW(m,r)r H YX

 Cristina Onete || 25/09/2014 || 20 Contents  Pre-processing How OAEP works Improvements on OAEP Hash Functions; Random Oracles (brief)  Generic attacks on factoring  Unsafe modes for RSA Small sk: Wiener’s attack  Some physical attacks Small pk and related ciphertexts

 Cristina Onete || 25/09/2014 || 21 Attacks on RSA  For the remainder of this lecture We =  1 st goal:  Strategies:

 Cristina Onete || 25/09/2014 || 22

 Cristina Onete || 25/09/2014 || 23

 Cristina Onete || 25/09/2014 || 24  Attack on factoring – bad (p-1)

 Cristina Onete || 25/09/2014 || 25  Attack on factoring – bad (p-1) Start with definite upper bound:

 Cristina Onete || 25/09/2014 || 26  Attack on factoring – bad (p-1)

 Cristina Onete || 25/09/2014 || 27 Exercise time!

 Cristina Onete || 25/09/2014 || 28 So far

 Cristina Onete || 25/09/2014 || 29 So far

 Cristina Onete || 25/09/2014 || 30  General factorization attack (are we lucky?)

 Cristina Onete || 25/09/2014 || 31 Strategy: we compute: Choice: speed vs. storage Speed: Floyd’s cycle finding algorithm:

 Cristina Onete || 25/09/2014 || 32 Floyd’s Cycle-Finding Alg. Source:

 Cristina Onete || 25/09/2014 || 33 Exercise time!  Put the method (with Floyd’s cycle-finding algorithm) in pseudocode/algorithm form!

 Cristina Onete || 25/09/2014 || 34 Contents  Pre-processing How OAEP works Improvements on OAEP Hash Functions; Random Oracles (brief)  Generic attacks on factoring  Unsafe modes for RSA Small sk: Wiener’s attack  Some physical attacks Small pk and related ciphertexts

 Cristina Onete || 25/09/2014 || 35 Unsafe Modes for RSA  Small public key

 Cristina Onete || 25/09/2014 || 36 Unsafe Modes for RSA  Small public key If knows the relationship of the messages,  Recommended This leads to fast encryption

 Cristina Onete || 25/09/2014 || 37 More Unsafe Modes  Small secret key Better for decryption: makes it more efficient Math “magic” Use: least common multiple LCM Divide by dpq

 Cristina Onete || 25/09/2014 || 38 More Unsafe Modes  Small secret key Tend to 0 Continued fractions and some trial and error gives d

 Cristina Onete || 25/09/2014 || 39 Physical Attacks  Implementation: Square and Multiply Standard way to do exponentiation Square AND Multiply Square i m

 Cristina Onete || 25/09/2014 || 40 Physical Attacks  Implementation: Square and Multiply Time the operation and write out the order of ops  Timing attack: multiply takes longer than square M, Sq, Sq, M, Sq, Sq, M, Sq, M, Sq, Sq, M  Power attack: multiply burns more than square Source:

CIDRE Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.