TheRSACryptosystem.pptVIP

The RSA Cryptosystem Dan Boneh Stanford University The RSA cryptosystem First published: Scientific American, Aug. 1977. (after some censorship entanglements) Currently the “work horse” of Internet security: Most Public Key Infrastructure (PKI) products. SSL/TLS: Certificates and key-exchange. Secure e-mail: PGP, Outlook, … The RSA trapdoor 1-to-1 function Parameters: N=pq. N ?1024 bits. p,q ?512 bits. e – encryption exponent. gcd(e, ?(N) ) = 1 . 1-to-1 function: RSA(M) = Me (mod N) where M?ZN* Textbook RSA is insecure Textbook RSA encryption: public key: (N,e) Encrypt: C = Me (mod N) private key: d Decrypt: Cd = M (mod N) (M ? ZN* ) Completely insecure cryptosystem: Does not satisfy basic definitions of security. Many attacks exist. The RSA trapdoor permutation is not a cryptosystem ! A simple attack on textbook RSA Session-key K is 64 bits. View K ? {0,…,264} Eavesdropper sees: C = Ke (mod N) . Suppose K = K1?K2 where K1, K2 234 . (prob. ?20%) Then: C/K1e = K2e (mod N) Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 234?34 Attack time: ?240 264 Common RSA encryption Never use textbook RSA. RSA in practice: Main question: How should the preprocessing be done? Can we argue about security of resulting system? PKCS1 V1.5 PKCS1 mode 2: (encryption) Resulting value is RSA encrypted. Widely deployed in web servers and browsers. No security analysis !! Attack on PKCS1 Bleichenbacher 98. Chosen-ciphertext attack. PKCS1 used in SSL: ? attacker can test if 16 MSBs of plaintext = ’02’. Attack: to decrypt a given ciphertext C do: Pick r ? ZN. Compute C’ = re?C = (r ? PKCS1(M))e. Send C’ to web server and use response. Chosen ciphertext security (CCS) No efficient attacker can win the following game: (with non-negligible advantage) PKCS1 V2.0 - OAEP New preprocessing function: OAEP (BR94). T