SlideShare una empresa de Scribd logo

RSA криптосистем

sodhero
sodhero
EducaciónTecnología
1 de 20
The RSA Cryptosystem Dan Boneh Stanford University
The RSA cryptosystem  First published: • Scientific American, Aug. 1977. (after some censorship entanglements)  Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, … Page 2
The RSA trapdoor 1-to-1 function  Parameters: N=pq. N 1024 bits. p,q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1 .  1-to-1 function: RSA(M) = Me (mod N) where M ZN*  Trapdoor: d – decryption exponent. Where e d = 1 (mod (N) ) d (N)+1  Inversion: RSA(M) = Med = Mk = M (mod N)  (n,e,t, )-RSA Assumption: For any t-time alg. A: Pr[ A(N,e,x) = x ]< 1/e p,q R n-bit primes, (N) : N pq, x R ZN* Page 3
Textbook RSA is insecure  Textbook RSA encryption: • public key: (N,e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M Z N* )  Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist.  The RSA trapdoor permutation is not a cryptosystem ! Page 4
A simple attack on textbook RSA Rando CLIENT HELLO m session- Web SERVER HELLO (e,N) Web d key K Browser Server C=RSA(K)  Session-key K is 64 bits. View K {0,…,264} Eavesdropper sees: C = Ke (mod N) .  Suppose K = K1 K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1e = K2e (mod N)  Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 234 34  Attack time: 240 << 264 Page 5
Common RSA encryption  Never use textbook RSA.  RSA in practice: Preprocessing RSA ciphertext msg  Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? Page 6
PKCS1 V1.5  PKCS1 mode 2: (encryption) 16 bits 02 random pad FF msg 1024 bits  Resulting value is RSA encrypted.  Widely deployed in web servers and browsers.  No security analysis !! Page 7
Attack on PKCS1  Bleichenbacher 98. Chosen-ciphertext attack.  PKCS1 used in SSL: C= ciphertext d C Is this PKCS1? Web Attacker Yes: continue Server 02 No: error attacker can test if 16 MSBs of plaintext = ’02’.  Attack: to decrypt a given ciphertext C do: e • Pick r ZN. Compute C’ = C = (r PKCS1(M)) . re • Send C’ to web server and use response. Page 8
Chosen ciphertext security (CCS)  No efficient attacker can win the following game: (with non-negligible advantage) M0 , M1 C=E(Mb) b Decryption Challenger R Attacker oracle Challenge C b’ Attacker wins if b=b’ Page 9
PKCS1 V2.0 - OAEP  New preprocessing function: OAEP (BR94). M 01 00..0 rand. + H Check pad on decryption. Reject CT if invalid. G + Plaintext to encrypt with RSA {0,1}n-1  Thm: RSA is trap-door permutation OAEP is CCS when H,G are “random oracles”.  In practice: use SHA-1 or MD5 for H and G. Page 10
OAEP Improvements  OAEP+: (Shoup’01) M W(M,R) R trap-door permutation F + H F-OAEP+ is CCS when H,G,W are “random oracles”. G +  SAEP+: (B’01) M W(M,R) R RSA trap-door perm RSA-SAEP+ is CCS when + H H,W are “random oracle”. Page 11
Subtleties in implementing OAEP [M ’00] OAEP-decrypt(C) { error = 0; if ( RSA-1(C) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1(RSA-1(C))) != “01000” ) } { error = 1; goto exit; }  Problem: timing information leaks type of error. Attacker can decrypt any ciphertext C.  Lesson: Don’t implement RSA-OAEP yourself … Page 12
Part II: Is RSA a One-Way Function?
Is RSA a one-way permutation?  To invert the RSA one-way function (without d) attacker must compute: M from C = Me (mod N).  How hard is computing e’th roots modulo N ??  Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy) Page 14
Shortcuts?  Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring?  To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N efficient algorithm for factoring N. • Oldest problem in public key cryptography.  Evidence no reduction exists: (BV’98) • “Algebraic” reduction factoring is easy. • Unlike Diffie-Hellman (Maurer’94). Page 15
Improving RSA’s performance  To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener87: if d < N0.25 then RSA is insecure. • BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 ) • Insecure: priv. key d can be found from (N,e). • Small d should never be used. Page 16
Wiener’s attack  Recall: e d = 1 (mod (N) ) k Z : e d = k (N) + 1 e k 1 - (N) d d (N) (N) = N-p-q+1 |N- (N)| p+q 3 N e - k 1 d N0.25/3 N d 2d2 Continued fraction expansion of e/N gives k/d. e d = 1 (mod k) gcd(d,k)=1 Page 17
RSA With Low public exponent  To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N)  Minimal value: e=3 ( gcd(e, (N) ) = 1)  Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies.  Several weak attacks. Non known on RSA-OAEP.  Asymmetry of RSA: fast enc. / slow dec. • ElGamal: approx. same time for both. Page 18
Implementation attacks  Attack the implementation of RSA.  Timing attack: (Kocher 97) The time it takes to compute Cd (mod N) can expose d.  Power attack: (Kocher 99) The power consumption of a smartcard while it is computing Cd (mod N) can expose d.  Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. OpenSSL defense: check output. 5% slowdown. Page 19
Key lengths Security of public key system should be comparable to security of block cipher. NIST: Cipher key-size Modulus size 64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES) 15360 bits  High security very large moduli. Not necessary with Elliptic Curve Cryptography. Page 20

Recomendados

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without PaddingDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA ModulusDharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan
 

Recomendados

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)Dharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challengesDharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without PaddingDharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionDharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eDharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dDharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA ModulusDharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an OracleDharmalingam Ganesan
 
rsa-1
rsa-1rsa-1
rsa-1aniruddh Tyagi
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity ChecksDharmalingam Ganesan
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzleDharmalingam Ganesan
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSAPratik Poddar
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmJoon Young Park
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7Infinity Tech Solutions
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person GameDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyMd. Shafiul Alam Sagor
 
Kleptography
KleptographyKleptography
KleptographyErfan Mallick
 
RSA
RSARSA
RSAbansidhar11
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
同態加密
同態加密同態加密
同態加密峻豪 呂
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 
RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)sodhero
 
Cryptography
CryptographyCryptography
CryptographyAskme.com
 
Криптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - CryptologyКриптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - Cryptologysodhero
 

Más contenido relacionado

La actualidad más candente

The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSAPratik Poddar
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public keyDharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsDharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer FactorizationDharmalingam Ganesan
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyMd. Shafiul Alam Sagor
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDharmalingam Ganesan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key AlgorithmsBit Hacker
 

La actualidad más candente (19)

rsa-1
rsa-1rsa-1
rsa-1
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSA
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
 
Kleptography
KleptographyKleptography
Kleptography
 
RSA
RSARSA
RSA
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
同態加密
同態加密同態加密
同態加密
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 

Destacado

RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)sodhero
 
Cryptography
CryptographyCryptography
CryptographyAskme.com
 
Криптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - CryptologyКриптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - Cryptologysodhero
 
It101 lab11 use case
It101 lab11 use caseIt101 lab11 use case
It101 lab11 use caseBPurev
 
Erdenm shinjilgeenii hural
Erdenm shinjilgeenii huralErdenm shinjilgeenii hural
Erdenm shinjilgeenii huralBPurev
 
Computer olimpiad
Computer olimpiadComputer olimpiad
Computer olimpiadBPurev
 
Bie daalt 2 sedev
Bie daalt 2 sedevBie daalt 2 sedev
Bie daalt 2 sedevBPurev
 
U.IT101 Lab1
U.IT101 Lab1U.IT101 Lab1
U.IT101 Lab1BPurev
 
Lab6 db
Lab6 dbLab6 db
Lab6 dbBPurev
 
Bie daaltiin ajil 2
Bie daaltiin ajil 2Bie daaltiin ajil 2
Bie daaltiin ajil 2BPurev
 
Laboratory 10
Laboratory 10Laboratory 10
Laboratory 10BPurev
 
лабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнаалабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнааBPurev
 
Laboratory 9
Laboratory 9Laboratory 9
Laboratory 9BPurev
 
U.IT101 Lab8
U.IT101 Lab8U.IT101 Lab8
U.IT101 Lab8BPurev
 
U.IT101 Lab3
U.IT101 Lab3U.IT101 Lab3
U.IT101 Lab3BPurev
 
Laboratory 2
Laboratory 2Laboratory 2
Laboratory 2BPurev
 
It101 lab 5
It101 lab 5It101 lab 5
It101 lab 5BPurev
 

Destacado (18)

RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)
 
Cryptography
CryptographyCryptography
Cryptography
 
Криптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - CryptologyКриптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - Cryptology
 
It101 lab11 use case
It101 lab11 use caseIt101 lab11 use case
It101 lab11 use case
 
Erdenm shinjilgeenii hural
Erdenm shinjilgeenii huralErdenm shinjilgeenii hural
Erdenm shinjilgeenii hural
 
Computer olimpiad
Computer olimpiadComputer olimpiad
Computer olimpiad
 
Bie daalt 2 sedev
Bie daalt 2 sedevBie daalt 2 sedev
Bie daalt 2 sedev
 
U.IT101 Lab1
U.IT101 Lab1U.IT101 Lab1
U.IT101 Lab1
 
Lab6 db
Lab6 dbLab6 db
Lab6 db
 
Bie daaltiin ajil 2
Bie daaltiin ajil 2Bie daaltiin ajil 2
Bie daaltiin ajil 2
 
Laboratory 10
Laboratory 10Laboratory 10
Laboratory 10
 
лабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнаалабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнаа
 
Laboratory 9
Laboratory 9Laboratory 9
Laboratory 9
 
U.IT101 Lab8
U.IT101 Lab8U.IT101 Lab8
U.IT101 Lab8
 
U.IT101 Lab3
U.IT101 Lab3U.IT101 Lab3
U.IT101 Lab3
 
Laboratory 2
Laboratory 2Laboratory 2
Laboratory 2
 
It101 lab 5
It101 lab 5It101 lab 5
It101 lab 5
 
Lab7
Lab7Lab7
Lab7
 

Similar a RSA криптосистем

Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Twenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystemTwenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystemlinzi320
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)neonaveen
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah
 
Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01anasz3z3
 

Similar a RSA криптосистем (20)

rsa.ppt
rsa.pptrsa.ppt
rsa.ppt
 
rsa.ppt
rsa.pptrsa.ppt
rsa.ppt
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
Common Crypto Pitfalls
Common Crypto PitfallsCommon Crypto Pitfalls
Common Crypto Pitfalls
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Twenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystemTwenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystem
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithm
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
Crypto lecture PDF
Crypto lecture PDFCrypto lecture PDF
Crypto lecture PDF
 
crypto1.ppt
crypto1.pptcrypto1.ppt
crypto1.ppt
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)
 
crypto.ppt
crypto.pptcrypto.ppt
crypto.ppt
 
needed.ppt
needed.pptneeded.ppt
needed.ppt
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
Ch9
Ch9Ch9
Ch9
 
Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01
 

Último

Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 

Último (20)

Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 

RSA криптосистем

  • 1. The RSA Cryptosystem Dan Boneh Stanford University
  • 2. The RSA cryptosystem  First published: • Scientific American, Aug. 1977. (after some censorship entanglements)  Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, … Page 2
  • 3. The RSA trapdoor 1-to-1 function  Parameters: N=pq. N 1024 bits. p,q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1 .  1-to-1 function: RSA(M) = Me (mod N) where M ZN*  Trapdoor: d – decryption exponent. Where e d = 1 (mod (N) ) d (N)+1  Inversion: RSA(M) = Med = Mk = M (mod N)  (n,e,t, )-RSA Assumption: For any t-time alg. A: Pr[ A(N,e,x) = x ]< 1/e p,q R n-bit primes, (N) : N pq, x R ZN* Page 3
  • 4. Textbook RSA is insecure  Textbook RSA encryption: • public key: (N,e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M Z N* )  Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist.  The RSA trapdoor permutation is not a cryptosystem ! Page 4
  • 5. A simple attack on textbook RSA Rando CLIENT HELLO m session- Web SERVER HELLO (e,N) Web d key K Browser Server C=RSA(K)  Session-key K is 64 bits. View K {0,…,264} Eavesdropper sees: C = Ke (mod N) .  Suppose K = K1 K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1e = K2e (mod N)  Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 234 34  Attack time: 240 << 264 Page 5
  • 6. Common RSA encryption  Never use textbook RSA.  RSA in practice: Preprocessing RSA ciphertext msg  Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? Page 6
  • 7. PKCS1 V1.5  PKCS1 mode 2: (encryption) 16 bits 02 random pad FF msg 1024 bits  Resulting value is RSA encrypted.  Widely deployed in web servers and browsers.  No security analysis !! Page 7
  • 8. Attack on PKCS1  Bleichenbacher 98. Chosen-ciphertext attack.  PKCS1 used in SSL: C= ciphertext d C Is this PKCS1? Web Attacker Yes: continue Server 02 No: error attacker can test if 16 MSBs of plaintext = ’02’.  Attack: to decrypt a given ciphertext C do: e • Pick r ZN. Compute C’ = C = (r PKCS1(M)) . re • Send C’ to web server and use response. Page 8
  • 9. Chosen ciphertext security (CCS)  No efficient attacker can win the following game: (with non-negligible advantage) M0 , M1 C=E(Mb) b Decryption Challenger R Attacker oracle Challenge C b’ Attacker wins if b=b’ Page 9
  • 10. PKCS1 V2.0 - OAEP  New preprocessing function: OAEP (BR94). M 01 00..0 rand. + H Check pad on decryption. Reject CT if invalid. G + Plaintext to encrypt with RSA {0,1}n-1  Thm: RSA is trap-door permutation OAEP is CCS when H,G are “random oracles”.  In practice: use SHA-1 or MD5 for H and G. Page 10
  • 11. OAEP Improvements  OAEP+: (Shoup’01) M W(M,R) R trap-door permutation F + H F-OAEP+ is CCS when H,G,W are “random oracles”. G +  SAEP+: (B’01) M W(M,R) R RSA trap-door perm RSA-SAEP+ is CCS when + H H,W are “random oracle”. Page 11
  • 12. Subtleties in implementing OAEP [M ’00] OAEP-decrypt(C) { error = 0; if ( RSA-1(C) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1(RSA-1(C))) != “01000” ) } { error = 1; goto exit; }  Problem: timing information leaks type of error. Attacker can decrypt any ciphertext C.  Lesson: Don’t implement RSA-OAEP yourself … Page 12
  • 13. Part II: Is RSA a One-Way Function?
  • 14. Is RSA a one-way permutation?  To invert the RSA one-way function (without d) attacker must compute: M from C = Me (mod N).  How hard is computing e’th roots modulo N ??  Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy) Page 14
  • 15. Shortcuts?  Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring?  To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N efficient algorithm for factoring N. • Oldest problem in public key cryptography.  Evidence no reduction exists: (BV’98) • “Algebraic” reduction factoring is easy. • Unlike Diffie-Hellman (Maurer’94). Page 15
  • 16. Improving RSA’s performance  To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener87: if d < N0.25 then RSA is insecure. • BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 ) • Insecure: priv. key d can be found from (N,e). • Small d should never be used. Page 16
  • 17. Wiener’s attack  Recall: e d = 1 (mod (N) ) k Z : e d = k (N) + 1 e k 1 - (N) d d (N) (N) = N-p-q+1 |N- (N)| p+q 3 N e - k 1 d N0.25/3 N d 2d2 Continued fraction expansion of e/N gives k/d. e d = 1 (mod k) gcd(d,k)=1 Page 17
  • 18. RSA With Low public exponent  To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N)  Minimal value: e=3 ( gcd(e, (N) ) = 1)  Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies.  Several weak attacks. Non known on RSA-OAEP.  Asymmetry of RSA: fast enc. / slow dec. • ElGamal: approx. same time for both. Page 18
  • 19. Implementation attacks  Attack the implementation of RSA.  Timing attack: (Kocher 97) The time it takes to compute Cd (mod N) can expose d.  Power attack: (Kocher 99) The power consumption of a smartcard while it is computing Cd (mod N) can expose d.  Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. OpenSSL defense: check output. 5% slowdown. Page 19
  • 20. Key lengths Security of public key system should be comparable to security of block cipher. NIST: Cipher key-size Modulus size 64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES) 15360 bits  High security very large moduli. Not necessary with Elliptic Curve Cryptography. Page 20