Thông tin tài liệu
Online Cryptography Course Dan Boneh Public Key Encryp4on from trapdoor permuta4ons PKCS 1 Dan Boneh RSA encryp4on in prac4ce Never use textbook RSA RSA in prac4ce (since ISO standard is not often used) : Preprocessing RSA ciphertext msg key Main ques4ons: – How should the preprocessing be done? – Can we argue about security of resul4ng system? Dan Boneh PKCS1 v1.5 PKCS1 mode 2: (encryp4on) 16 bits 02 random pad FF msg RSA modulus size (e.g 2048 bits) • Resul4ng value is RSA encrypted • Widely deployed, e.g in HTTPS Dan Boneh AYack on PKCS1 v1.5 (Bleichenbacher 1998) PKCS1 used in HTTPS: c d Is t his Web PKCS1? yes: con4nue Server no: error 02 ⇒ aYacker can test if 16 MSBs of plaintext = ’02’ c= ciphertext AYacker Chosen-‐ciphertext aYack: to decrypt a given ciphertext c do: e – (r ⋅ PKCS1(m)) – Send c’ to web server and use response Choose r ∈ ZN Compute c’ ⟵ re⋅c = Dan Boneh Baby Bleichenbacher c= ciphertext compute x⟵cd in ZN is msb=1? d Web Server c yes: con4nue no: error AYacker Suppose N is N = 2n (an invalid RSA modulus) Then: • • • • Sending c reveals msb( x ) Sending 2e⋅c = (2x)e in ZN reveals msb(2x mod N) = msb2(x) Sending 4e⋅c = (4x)e in ZN reveals msb(4x mod N) = msb3(x) … and so on to reveal all of x Dan Boneh HTTPS Defense (RFC 5246) A"acks discovered by Bleichenbacher and Klima et al … can be avoided by trea9ng incorrectly forma"ed message blocks … in a manner indis9nguishable from correctly forma"ed RSA blocks In other words: 1 Generate a string R of 46 random bytes 2 Decrypt the message to recover the plaintext M 3 If the PKCS#1 padding is not correct pre_master_secret = R Dan Boneh PKCS1 v2.0: OAEP New preprocessing func4on: OAEP [BR94] msg check pad on decryp4on reject CT if invalid 01 00 + rand H G plaintext to encrypt + with RSA ∈{0,1}n-‐1 Thm [FOPS’01] : RSA is a trap-‐door permuta4on ⇒ RSA-‐OAEP is CCA secure when H,G are random oracles in prac4ce: use SHA-‐256 for H and G Dan Boneh OAEP Improvements OAEP+: [Shoup’01] ∀ trap-‐door permuta4on F F-‐OAEP+ is CCA secure when H,G,W are random oracles m W(m,r) r H + G + During decryp4on validate W(m,r) field SAEP+: [B’01] RSA (e=3) is a trap-‐door perm ⇒ RSA-‐SAEP+ is CCA secure when H,W are random oracle m W(m,r) + r H Dan Boneh m How would you decrypt an SAEP ciphertext ct ? W(m,r) r H + x r RSA ciphertext (x,r) ⟵RSA-‐1(sk,ct) , (m,w) ⟵ x⨁H(r) , output m if w = W(m,r) (x,r) ⟵RSA-‐1(sk,ct) , (m,w) ⟵ r⨁H(x) , output m if w = W(m,r) (x,r) ⟵RSA-‐1(sk,ct) , (m,w) ⟵ x⨁H(r) , output m if r = W(m,x) Subtle4es in implemen4ng OAEP [M ’00] OAEP-‐decrypt(ct): error = 0; if ( RSA-1(ct) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1(RSA-1(ct))) != “01000” ) { error = 1; goto exit; } Problem: 4ming informa4on leaks type of error ⇒ AYacker can decrypt any ciphertext Lesson: Don’t implement RSA-‐OAEP yourself ! Dan Boneh End of Segment Dan Boneh
Ngày đăng: 09/11/2019, 06:40
Xem thêm: