Download presentation
Presentation is loading. Please wait.
1
Attacks on Public Key Encryption Algorithms
CSCI 5857: Encoding and Encryption
2
Outline Short message attacks Timing attacks
Optimal Asymmetric Encryption Padding Timing attacks Blinding against timing attacks
3
Short Message Attacks Typical use of public key algorithm: Generating short messages Symmetric keys (used then to send rest of message) Social security numbers, etc. Idea: Adversary acquires public key E, n Uses them to encrypt all possible messages that may be sent (plausible if messages are short enough!) and stores in table Intercepts encrypted message C and searches for match in the table Adversary can recover plaintext without decryption key!
4
Short Message Attack Example (1)
Example: Darth knows that Bob will use Alice’s public key to send her a Social Security Number (9 digits)
5
Short Message Attack Example (2)
Darth uses Alice’s public key KPU to encrypt all possible Social Security Numbers (only a billion)
6
Short Message Attack Example (3)
Darth intercepts Bob’s SSN encrypted with Alice’s public key Searches for match in table of encrypted values
7
Short Message Attack Solutions
Solution: Pad message to M bits M large enough so adversary can’t generate all 2M possible messages (extra bits must be randomly chosen) Can’t just add extra bits to end – still possibly vulnerable Optimal Asymmetric Encryption Padding (OAEP) Additional bits used as “mask” to conceal plaintext Mask generated randomly Mask data sent as part of encrypted message for decryption Based on cryptographic hash (more later)
8
Optimal Asymmetric Encryption Padding
Message padded to m bits Random bits r mask padded message Run through hash function G XOR’d with padded message to give P1 Masked message mask random bits Masked message run through hash function H XOR’d with random bits to give P2 Masked message and random bits (P1 and P2) encrypted and sent
9
OAEP Decryption Decryption:
Ciphertext decrypted to get masked message and random bits (P1 and P2) Masked message P1 run through hash function H and XOR’d with P2 to recover r r run through hash function G and XOR’d with P1 to recover original padded plaintext
10
Timing Attacks Encryption/decryption times may not be constant for all algorithms Times may be function of: Plaintext, Ciphertext Keys Adversary can observe timing in different ways Overall time Processor cycles Power consumption…
11
Fast Modular Exponentiation
Fast modular exponentiation algorithm used for decryption to compute CD mod n: result = 1 for (i = 0 to number of bits in D - 1) { if (ith bit of D = 1) result = (result * C) mod n C = C2 mod n } Speed of decryption depends on number of 1’s in binary key D Each 1 requires additional multiplication operation Each 0 skips that step
12
Timing Attacks to Recover Key
If adversary knows the following: Ciphertext C Can compute how long it takes to multiply ciphertext and compute mods That is, how long a 1 or a 0 takes to decrypt Total time decryption takes They could compute number of 1’s in private D Given enough known plaintexts, can reliably guess D completely
13
Timing Attacks on RSA Darth infiltrates organization
Requests secure data from database Observes ciphertext Times processor cycles required by decryption Guesses properties of key
14
Timing Attack Solutions
“Pad” algorithm so all decryptions take same time for (i = 0 to number of bits in D - 1) { if (ith bit of D = 1) result = (result * C) mod n else garbageVariable = (result * C) mod n C = C2 mod n } Disadvantage: All decryptions now run no faster than the worst possible case
15
Blinding Solution Attacker cannot reliably perform timing attack unless they know the C value being decrypted Remove attacker’s ability to know the C used in the fast modular exponentiation Compute fast exponentiation on a value other than C Use that value to recover the plaintext Used by commercial versions of RSA
16
Blinding Timing Attacks
Algorithm: Select random r < modulus n Compute C1 = C r E mod n Compute P1 = C1D mod n = (C r E )D mod n = (CD mod n r ED mod n ) mod n = (P r ) mod n Compute P = (P1 r -1 ) mod n
17
Timing Attacks on Other Ciphers
Based on implementation of algorithm, not underlying mathematics Any cryptosystem that has a component that takes different time for different keys may be vulnerable Current research: AES MixColumns stage uses matrix multiplication More 0’s in state Faster matrix multiplication May be able to recover intermediate states based on run time
18
What’s Next Let me know if you have any questions
Continue on to the next lecture on Elgamal Public Key Encryption
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.