|Previous||Table of Contents||Next|
Moral: Never use RSA to sign a random document presented to you by a stranger. Always use a one-way hash function first. The ISO 9796 block format prevents this attack.
Common Modulus Attack on RSA
A possible RSA implementation gives everyone the same n, but different values for the exponents e and d. Unfortunately, this doesnt work. The most obvious problem is that if the same message is ever encrypted with two different exponents (both having the same modulus), and those two exponents are relatively prime (which they generally would be), then the plaintext can be recovered without either of the decryption exponents .
Let m be the plaintext message. The two encryption keys are e1 and e2. The common modulus is n. The two ciphertext messages are:
The cryptanalyst knows n, e1, e2, c1, and c2. Heres how he recovers m.
Since e1 and e2 are relatively prime, the extended Euclidean algorithm can find r and s, such that
Assuming r is negative (either r or s has to be, so just call the negative one r), then the extended Euclidean algorithm can be used again to calculate c1-1. Then
There are two other, more subtle, attacks against this type of system. One attack uses a probabilistic method for factoring n. The other uses a deterministic algorithm for calculating someones secret key without factoring the modulus. Both attacks are described in detail in .
Moral: Dont share a common n among a group of users.
Low Encryption Exponent Attack against RSA
RSA encryption and signature verification are faster if you use a low value for e, but that can also be insecure . If you encrypt e(e + 1)/2 linearly dependent messages with different public keys having the same value of e, there is an attack against the system. If there are fewer than that many messages, or if the messages are unrelated, there is no problem. If the messages are identical, then e messages are enough. The easiest solution is to pad messages with independent random values. This also ensures that me mod n ≠ me. Most real-world RSA implementationsPEM and PGP (see Sections 24.10 and 24.12), for exampledo this.
Moral: Pad messages with random values before encrypting them; make sure m is about the same size as n.
Low Decryption Exponent Attack against RSA
Another attack, this one by Michael Wiener, will recover d, when d is up to one quarter the size of n and e is less than n . This rarely occurs if e and d are chosen at random, and cannot occur if e has a small value.
Moral: Choose a large value for d.
Judith Moore lists several restrictions on the use of RSA, based on the success of these attacks [1114, 1115]:
Remember, it is not enough to have a secure cryptographic algorithm. The entire cryptosystem must be secure, and the cryptographic protocol must be secure. A failure in any of those three areas makes the overall system insecure.
Attack on Encrypting and Signing with RSA
It makes sense to sign a message before encrypting it (see Section 2.7), but not everyone follows this practice. With RSA, there is an attack against protocols that encrypt before signing .
Alice wants to send a message to Bob. First she encrypts it with Bobs public key; then she signs it with her private key. Her encrypted and signed message looks like:
Heres how Bob can claim that Alice sent him m and not m. Realize that since Bob knows the factorization of nB (its his modulus), he can calculate discrete logarithms with respect to nB. Therefore, all he has to do is to find an x such that
Then, if he can publish xeB as his new public exponent and keep nB as his modulus, he can claim that Alice sent him message m encrypted in this new exponent.
This is a particularly nasty attack in some circumstances. Note that hash functions dont solve the problem. However, forcing a fixed encryption exponent for every user does.
RSA is a de facto standard in much of the world. The ISO almost, but not quite, created an RSA digital-signature standard; RSA is in an information annex to ISO 9796 . The French banking community standardized on RSA , as have the Australians . The United States currently has no standard for public-key encryption, because of pressure from the NSA and patent issues. Many U.S. companies use PKCS (see Section 24.14), written by RSA Data Security, Inc. A draft ANSI banking standard specifies RSA .
The RSA algorithm is patented in the United States , but not in any other country. PKP licenses the patent, along with other public-key cryptography patents (see Section 25.5). The U.S. patent will expire on September 20, 2000.
The Pohlig-Hellman encryption scheme  is similar to RSA. It is not a symmetric algorithm, because different keys are used for encryption and decryption. It is not a public-key scheme, because the keys are easily derivable from each other; both the encryption and decryption keys must be kept secret.
Unlike RSA, n is not defined in terms of two large primes, it must remain part of the secret key. If someone had e and n, they could calculate d. Without knowledge of e or d, an adversary would be forced to calculate
We have already seen that this is a hard problem.
|Previous||Table of Contents||Next|