RSA криптосистем
1 like1,191 views
The RSA cryptosystem is the most widely used public key cryptosystem. It uses a "trapdoor" one-way function to encrypt and decrypt messages. While textbook RSA is insecure, common implementations prepend random padding like OAEP to the message before encryption, which provides chosen ciphertext security. Despite its widespread use, RSA remains computationally intensive due to the need for large key sizes for security equivalents to modern block ciphers. Timing and fault attacks remain a concern if proper countermeasures are not implemented.
![The RSA trapdoor 1-to-1 function
Parameters: N=pq. N 1024 bits. p,q 512 bits.
e – encryption exponent. gcd(e, (N) ) = 1 .
1-to-1 function: RSA(M) = Me (mod N) where M ZN*
Trapdoor: d – decryption exponent.
Where e d = 1 (mod (N) )
d (N)+1
Inversion: RSA(M) = Med = Mk = M (mod N)
(n,e,t, )-RSA Assumption: For any t-time alg. A:
Pr[ A(N,e,x) = x ]<
1/e p,q R n-bit primes,
(N) :
N pq, x R ZN*
Page 3](https://image.slidesharecdn.com/rsa-1-120315213352-phpapp01/85/RSA-3-320.jpg)
![Subtleties in implementing OAEP [M ’00]
OAEP-decrypt(C) {
error = 0;
if ( RSA-1(C) > 2n-1 )
{ error =1; goto exit; }
if ( pad(OAEP-1(RSA-1(C))) != “01000” )
} { error = 1; goto exit; }
Problem: timing information leaks type of error.
Attacker can decrypt any ciphertext C.
Lesson: Don’t implement RSA-OAEP yourself …
Page 12](https://image.slidesharecdn.com/rsa-1-120315213352-phpapp01/85/RSA-12-320.jpg)
RSA криптосистем
- 1. The RSA Cryptosystem Dan Boneh Stanford University
- 2. The RSA cryptosystem First published: • Scientific American, Aug. 1977. (after some censorship entanglements) Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, … Page 2
- 3. The RSA trapdoor 1-to-1 function Parameters: N=pq. N 1024 bits. p,q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1 . 1-to-1 function: RSA(M) = Me (mod N) where M ZN* Trapdoor: d – decryption exponent. Where e d = 1 (mod (N) ) d (N)+1 Inversion: RSA(M) = Med = Mk = M (mod N) (n,e,t, )-RSA Assumption: For any t-time alg. A: Pr[ A(N,e,x) = x ]< 1/e p,q R n-bit primes, (N) : N pq, x R ZN* Page 3
- 4. Textbook RSA is insecure Textbook RSA encryption: • public key: (N,e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M Z N* ) Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist. The RSA trapdoor permutation is not a cryptosystem ! Page 4
- 5. A simple attack on textbook RSA Rando CLIENT HELLO m session- Web SERVER HELLO (e,N) Web d key K Browser Server C=RSA(K) Session-key K is 64 bits. View K {0,…,264} Eavesdropper sees: C = Ke (mod N) . Suppose K = K1 K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1e = K2e (mod N) Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 234 34 Attack time: 240 << 264 Page 5
- 6. Common RSA encryption Never use textbook RSA. RSA in practice: Preprocessing RSA ciphertext msg Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? Page 6
- 7. PKCS1 V1.5 PKCS1 mode 2: (encryption) 16 bits 02 random pad FF msg 1024 bits Resulting value is RSA encrypted. Widely deployed in web servers and browsers. No security analysis !! Page 7
- 8. Attack on PKCS1 Bleichenbacher 98. Chosen-ciphertext attack. PKCS1 used in SSL: C= ciphertext d C Is this PKCS1? Web Attacker Yes: continue Server 02 No: error attacker can test if 16 MSBs of plaintext = ’02’. Attack: to decrypt a given ciphertext C do: e • Pick r ZN. Compute C’ = C = (r PKCS1(M)) . re • Send C’ to web server and use response. Page 8
- 9. Chosen ciphertext security (CCS) No efficient attacker can win the following game: (with non-negligible advantage) M0 , M1 C=E(Mb) b Decryption Challenger R Attacker oracle Challenge C b’ Attacker wins if b=b’ Page 9
- 10. PKCS1 V2.0 - OAEP New preprocessing function: OAEP (BR94). M 01 00..0 rand. + H Check pad on decryption. Reject CT if invalid. G + Plaintext to encrypt with RSA {0,1}n-1 Thm: RSA is trap-door permutation OAEP is CCS when H,G are “random oracles”. In practice: use SHA-1 or MD5 for H and G. Page 10
- 11. OAEP Improvements OAEP+: (Shoup’01) M W(M,R) R trap-door permutation F + H F-OAEP+ is CCS when H,G,W are “random oracles”. G + SAEP+: (B’01) M W(M,R) R RSA trap-door perm RSA-SAEP+ is CCS when + H H,W are “random oracle”. Page 11
- 12. Subtleties in implementing OAEP [M ’00] OAEP-decrypt(C) { error = 0; if ( RSA-1(C) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1(RSA-1(C))) != “01000” ) } { error = 1; goto exit; } Problem: timing information leaks type of error. Attacker can decrypt any ciphertext C. Lesson: Don’t implement RSA-OAEP yourself … Page 12
- 13. Part II: Is RSA a One-Way Function?
- 14. Is RSA a one-way permutation? To invert the RSA one-way function (without d) attacker must compute: M from C = Me (mod N). How hard is computing e’th roots modulo N ?? Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy) Page 14
- 15. Shortcuts? Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring? To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N efficient algorithm for factoring N. • Oldest problem in public key cryptography. Evidence no reduction exists: (BV’98) • “Algebraic” reduction factoring is easy. • Unlike Diffie-Hellman (Maurer’94). Page 15
- 16. Improving RSA’s performance To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener87: if d < N0.25 then RSA is insecure. • BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 ) • Insecure: priv. key d can be found from (N,e). • Small d should never be used. Page 16
- 17. Wiener’s attack Recall: e d = 1 (mod (N) ) k Z : e d = k (N) + 1 e k 1 - (N) d d (N) (N) = N-p-q+1 |N- (N)| p+q 3 N e - k 1 d N0.25/3 N d 2d2 Continued fraction expansion of e/N gives k/d. e d = 1 (mod k) gcd(d,k)=1 Page 17
- 18. RSA With Low public exponent To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N) Minimal value: e=3 ( gcd(e, (N) ) = 1) Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies. Several weak attacks. Non known on RSA-OAEP. Asymmetry of RSA: fast enc. / slow dec. • ElGamal: approx. same time for both. Page 18
- 19. Implementation attacks Attack the implementation of RSA. Timing attack: (Kocher 97) The time it takes to compute Cd (mod N) can expose d. Power attack: (Kocher 99) The power consumption of a smartcard while it is computing Cd (mod N) can expose d. Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. OpenSSL defense: check output. 5% slowdown. Page 19
- 20. Key lengths Security of public key system should be comparable to security of block cipher. NIST: Cipher key-size Modulus size 64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES) 15360 bits High security very large moduli. Not necessary with Elliptic Curve Cryptography. Page 20