SlideShare a Scribd company logo

RSA криптосистем

sodhero
sodhero

The RSA cryptosystem is the most widely used public key cryptosystem. It uses a "trapdoor" one-way function to encrypt and decrypt messages. While textbook RSA is insecure, common implementations prepend random padding like OAEP to the message before encryption, which provides chosen ciphertext security. Despite its widespread use, RSA remains computationally intensive due to the need for large key sizes for security equivalents to modern block ciphers. Timing and fault attacks remain a concern if proper countermeasures are not implemented.

EducationTechnology
1 of 20
The RSA Cryptosystem Dan Boneh Stanford University
The RSA cryptosystem  First published: • Scientific American, Aug. 1977. (after some censorship entanglements)  Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, … Page 2
The RSA trapdoor 1-to-1 function  Parameters: N=pq. N 1024 bits. p,q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1 .  1-to-1 function: RSA(M) = Me (mod N) where M ZN*  Trapdoor: d – decryption exponent. Where e d = 1 (mod (N) ) d (N)+1  Inversion: RSA(M) = Med = Mk = M (mod N)  (n,e,t, )-RSA Assumption: For any t-time alg. A: Pr[ A(N,e,x) = x ]< 1/e p,q R n-bit primes, (N) : N pq, x R ZN* Page 3
Textbook RSA is insecure  Textbook RSA encryption: • public key: (N,e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M Z N* )  Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist.  The RSA trapdoor permutation is not a cryptosystem ! Page 4
A simple attack on textbook RSA Rando CLIENT HELLO m session- Web SERVER HELLO (e,N) Web d key K Browser Server C=RSA(K)  Session-key K is 64 bits. View K {0,…,264} Eavesdropper sees: C = Ke (mod N) .  Suppose K = K1 K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1e = K2e (mod N)  Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 234 34  Attack time: 240 << 264 Page 5
Common RSA encryption  Never use textbook RSA.  RSA in practice: Preprocessing RSA ciphertext msg  Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? Page 6
PKCS1 V1.5  PKCS1 mode 2: (encryption) 16 bits 02 random pad FF msg 1024 bits  Resulting value is RSA encrypted.  Widely deployed in web servers and browsers.  No security analysis !! Page 7
Attack on PKCS1  Bleichenbacher 98. Chosen-ciphertext attack.  PKCS1 used in SSL: C= ciphertext d C Is this PKCS1? Web Attacker Yes: continue Server 02 No: error attacker can test if 16 MSBs of plaintext = ’02’.  Attack: to decrypt a given ciphertext C do: e • Pick r ZN. Compute C’ = C = (r PKCS1(M)) . re • Send C’ to web server and use response. Page 8
Chosen ciphertext security (CCS)  No efficient attacker can win the following game: (with non-negligible advantage) M0 , M1 C=E(Mb) b Decryption Challenger R Attacker oracle Challenge C b’ Attacker wins if b=b’ Page 9
PKCS1 V2.0 - OAEP  New preprocessing function: OAEP (BR94). M 01 00..0 rand. + H Check pad on decryption. Reject CT if invalid. G + Plaintext to encrypt with RSA {0,1}n-1  Thm: RSA is trap-door permutation OAEP is CCS when H,G are “random oracles”.  In practice: use SHA-1 or MD5 for H and G. Page 10
OAEP Improvements  OAEP+: (Shoup’01) M W(M,R) R trap-door permutation F + H F-OAEP+ is CCS when H,G,W are “random oracles”. G +  SAEP+: (B’01) M W(M,R) R RSA trap-door perm RSA-SAEP+ is CCS when + H H,W are “random oracle”. Page 11
Subtleties in implementing OAEP [M ’00] OAEP-decrypt(C) { error = 0; if ( RSA-1(C) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1(RSA-1(C))) != “01000” ) } { error = 1; goto exit; }  Problem: timing information leaks type of error. Attacker can decrypt any ciphertext C.  Lesson: Don’t implement RSA-OAEP yourself … Page 12
Part II: Is RSA a One-Way Function?
Is RSA a one-way permutation?  To invert the RSA one-way function (without d) attacker must compute: M from C = Me (mod N).  How hard is computing e’th roots modulo N ??  Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy) Page 14
Shortcuts?  Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring?  To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N efficient algorithm for factoring N. • Oldest problem in public key cryptography.  Evidence no reduction exists: (BV’98) • “Algebraic” reduction factoring is easy. • Unlike Diffie-Hellman (Maurer’94). Page 15
Improving RSA’s performance  To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener87: if d < N0.25 then RSA is insecure. • BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 ) • Insecure: priv. key d can be found from (N,e). • Small d should never be used. Page 16
Wiener’s attack  Recall: e d = 1 (mod (N) ) k Z : e d = k (N) + 1 e k 1 - (N) d d (N) (N) = N-p-q+1 |N- (N)| p+q 3 N e - k 1 d N0.25/3 N d 2d2 Continued fraction expansion of e/N gives k/d. e d = 1 (mod k) gcd(d,k)=1 Page 17
RSA With Low public exponent  To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N)  Minimal value: e=3 ( gcd(e, (N) ) = 1)  Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies.  Several weak attacks. Non known on RSA-OAEP.  Asymmetry of RSA: fast enc. / slow dec. • ElGamal: approx. same time for both. Page 18
Implementation attacks  Attack the implementation of RSA.  Timing attack: (Kocher 97) The time it takes to compute Cd (mod N) can expose d.  Power attack: (Kocher 99) The power consumption of a smartcard while it is computing Cd (mod N) can expose d.  Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. OpenSSL defense: check output. 5% slowdown. Page 19
Key lengths Security of public key system should be comparable to security of block cipher. NIST: Cipher key-size Modulus size 64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES) 15360 bits  High security very large moduli. Not necessary with Elliptic Curve Cryptography. Page 20

Recommended

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
Dharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
Dharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
Dharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
Dharmalingam Ganesan
 

Recommended

An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)An Analysis of Secure Remote Password (SRP)
An Analysis of Secure Remote Password (SRP)
Dharmalingam Ganesan
 
Solutions to online rsa factoring challenges
Solutions to online rsa factoring challengesSolutions to online rsa factoring challenges
Solutions to online rsa factoring challenges
Dharmalingam Ganesan
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
Dharmalingam Ganesan
 
Cyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor FunctionCyclic Attacks on the RSA Trapdoor Function
Cyclic Attacks on the RSA Trapdoor Function
Dharmalingam Ganesan
 
An Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent eAn Analysis of RSA Public Exponent e
An Analysis of RSA Public Exponent e
Dharmalingam Ganesan
 
Analysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent dAnalysis of Short RSA Secret Exponent d
Analysis of Short RSA Secret Exponent d
Dharmalingam Ganesan
 
Analysis of Shared RSA Modulus
Analysis of Shared RSA ModulusAnalysis of Shared RSA Modulus
Analysis of Shared RSA Modulus
Dharmalingam Ganesan
 
RSA Game using an Oracle
RSA Game using an OracleRSA Game using an Oracle
RSA Game using an Oracle
Dharmalingam Ganesan
 
rsa-1
rsa-1rsa-1
rsa-1aniruddh Tyagi
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
Dharmalingam Ganesan
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
Dharmalingam Ganesan
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSA
Pratik Poddar
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
Joon Young Park
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
Infinity Tech Solutions
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
Dharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
Anver S R
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
Md. Shafiul Alam Sagor
 
Kleptography
KleptographyKleptography
Kleptography
Erfan Mallick
 
RSA
RSARSA
RSA
bansidhar11
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
Srilal Buddika
 
同態加密
同態加密同態加密
同態加密
峻豪 呂
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
Bit Hacker
 
RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)sodhero
 
Cryptography
CryptographyCryptography
Cryptography
Askme.com
 
Криптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - CryptologyКриптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - Cryptology
sodhero
 

More Related Content

What's hot

The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithmKomal Singh
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
Dharmalingam Ganesan
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
Dharmalingam Ganesan
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSA
Pratik Poddar
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
Joon Young Park
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
Infinity Tech Solutions
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
Dharmalingam Ganesan
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Dharmalingam Ganesan
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
Dharmalingam Ganesan
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
Dharmalingam Ganesan
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
Anver S R
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
Md. Shafiul Alam Sagor
 
Kleptography
KleptographyKleptography
Kleptography
Erfan Mallick
 
RSA
RSARSA
RSA
bansidhar11
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
Dharmalingam Ganesan
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
Srilal Buddika
 
同態加密
同態加密同態加密
同態加密
峻豪 呂
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
Bit Hacker
 

What's hot (19)

rsa-1
rsa-1rsa-1
rsa-1
 
The rsa algorithm
The rsa algorithmThe rsa algorithm
The rsa algorithm
 
RSA without Integrity Checks
RSA without Integrity ChecksRSA without Integrity Checks
RSA without Integrity Checks
 
RSA cracking puzzle
RSA cracking puzzleRSA cracking puzzle
RSA cracking puzzle
 
Security Attacks on RSA
Security Attacks on RSASecurity Attacks on RSA
Security Attacks on RSA
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
On deriving the private key from a public key
On deriving the private key from a public keyOn deriving the private key from a public key
On deriving the private key from a public key
 
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum AlgorithmsComputing the Square Roots of Unity to break RSA using Quantum Algorithms
Computing the Square Roots of Unity to break RSA using Quantum Algorithms
 
RSA Two Person Game
RSA Two Person GameRSA Two Person Game
RSA Two Person Game
 
Security of RSA and Integer Factorization
Security of RSA and Integer FactorizationSecurity of RSA and Integer Factorization
Security of RSA and Integer Factorization
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSA
 
RSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key CryptographyRSA Algorithm - Public Key Cryptography
RSA Algorithm - Public Key Cryptography
 
Kleptography
KleptographyKleptography
Kleptography
 
RSA
RSARSA
RSA
 
Dependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private VariablesDependency Analysis of RSA Private Variables
Dependency Analysis of RSA Private Variables
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSA
 
同態加密
同態加密同態加密
同態加密
 
Public Key Algorithms
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms
 

Viewers also liked

RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)sodhero
 
Cryptography
CryptographyCryptography
Cryptography
Askme.com
 
Криптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - CryptologyКриптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - Cryptology
sodhero
 
It101 lab11 use case
It101 lab11 use caseIt101 lab11 use case
It101 lab11 use case
BPurev
 
Erdenm shinjilgeenii hural
Erdenm shinjilgeenii huralErdenm shinjilgeenii hural
Erdenm shinjilgeenii hural
BPurev
 
Computer olimpiad
Computer olimpiadComputer olimpiad
Computer olimpiad
BPurev
 
Bie daalt 2 sedev
Bie daalt 2 sedevBie daalt 2 sedev
Bie daalt 2 sedev
BPurev
 
U.IT101 Lab1
U.IT101 Lab1U.IT101 Lab1
U.IT101 Lab1
BPurev
 
Lab6 db
Lab6 dbLab6 db
Lab6 dbBPurev
 
Bie daaltiin ajil 2
Bie daaltiin ajil 2Bie daaltiin ajil 2
Bie daaltiin ajil 2
BPurev
 
Laboratory 10
Laboratory 10Laboratory 10
Laboratory 10
BPurev
 
лабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнаалабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнаа
BPurev
 
Laboratory 9
Laboratory 9Laboratory 9
Laboratory 9
BPurev
 
U.IT101 Lab8
U.IT101 Lab8U.IT101 Lab8
U.IT101 Lab8
BPurev
 
U.IT101 Lab3
U.IT101 Lab3U.IT101 Lab3
U.IT101 Lab3
BPurev
 
Laboratory 2
Laboratory 2Laboratory 2
Laboratory 2
BPurev
 
It101 lab 5
It101 lab 5It101 lab 5
It101 lab 5
BPurev
 
Lab7
Lab7Lab7
Lab7
BPurev
 

Viewers also liked (18)

RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)RSA шифрлэх арга (encryption)
RSA шифрлэх арга (encryption)
 
Cryptography
CryptographyCryptography
Cryptography
 
Криптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - CryptologyКриптологийн тухай ойлголт - Cryptology
Криптологийн тухай ойлголт - Cryptology
 
It101 lab11 use case
It101 lab11 use caseIt101 lab11 use case
It101 lab11 use case
 
Erdenm shinjilgeenii hural
Erdenm shinjilgeenii huralErdenm shinjilgeenii hural
Erdenm shinjilgeenii hural
 
Computer olimpiad
Computer olimpiadComputer olimpiad
Computer olimpiad
 
Bie daalt 2 sedev
Bie daalt 2 sedevBie daalt 2 sedev
Bie daalt 2 sedev
 
U.IT101 Lab1
U.IT101 Lab1U.IT101 Lab1
U.IT101 Lab1
 
Lab6 db
Lab6 dbLab6 db
Lab6 db
 
Bie daaltiin ajil 2
Bie daaltiin ajil 2Bie daaltiin ajil 2
Bie daaltiin ajil 2
 
Laboratory 10
Laboratory 10Laboratory 10
Laboratory 10
 
лабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнаалабораторийн ажил 1 дөлгөөн тайвнаа
лабораторийн ажил 1 дөлгөөн тайвнаа
 
Laboratory 9
Laboratory 9Laboratory 9
Laboratory 9
 
U.IT101 Lab8
U.IT101 Lab8U.IT101 Lab8
U.IT101 Lab8
 
U.IT101 Lab3
U.IT101 Lab3U.IT101 Lab3
U.IT101 Lab3
 
Laboratory 2
Laboratory 2Laboratory 2
Laboratory 2
 
It101 lab 5
It101 lab 5It101 lab 5
It101 lab 5
 
Lab7
Lab7Lab7
Lab7
 

Similar to RSA криптосистем

rsa.ppt
rsa.pptrsa.ppt
rsa.ppt
ArkadiansNatblida
 
Common Crypto Pitfalls
Common Crypto PitfallsCommon Crypto Pitfalls
Common Crypto Pitfalls
Amirali Sanatinia
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Göktuğ Serez
 
Twenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystemTwenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystemlinzi320
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
Hossain Md Shakhawat
 
crypto1.ppt
crypto1.pptcrypto1.ppt
crypto1.ppt
tommychauhan
 
needed.ppt
needed.pptneeded.ppt
needed.ppt
faizalkhan673954
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)
neonaveen
 
crypto.ppt
crypto.pptcrypto.ppt
crypto.ppt
Ganesh Chavan
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
New York Technology Council
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
Nisheed KM
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
werip98386
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
FahmiOlayah
 
Ch9
Ch9Ch9
Ch9
Mahender Kumar
 
Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01
anasz3z3
 

Similar to RSA криптосистем (20)

rsa.ppt
rsa.pptrsa.ppt
rsa.ppt
 
rsa.ppt
rsa.pptrsa.ppt
rsa.ppt
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
Common Crypto Pitfalls
Common Crypto PitfallsCommon Crypto Pitfalls
Common Crypto Pitfalls
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Twenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystemTwenty years of attacks on the rsa cryptosystem
Twenty years of attacks on the rsa cryptosystem
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithm
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
Crypto lecture PDF
Crypto lecture PDFCrypto lecture PDF
Crypto lecture PDF
 
crypto1.ppt
crypto1.pptcrypto1.ppt
crypto1.ppt
 
needed.ppt
needed.pptneeded.ppt
needed.ppt
 
introduction to cryptography (basics of it)
introduction to cryptography (basics of it)introduction to cryptography (basics of it)
introduction to cryptography (basics of it)
 
crypto.ppt
crypto.pptcrypto.ppt
crypto.ppt
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...
 
Ch9
Ch9Ch9
Ch9
 
Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01Timing Attack paper--pres--v.01
Timing Attack paper--pres--v.01
 

Recently uploaded

Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
timhan337
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
Vikramjit Singh
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
chanes7
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
siemaillard
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
deeptiverma2406
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
Scholarhat
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
Mohammed Sikander
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
Vivekanand Anglo Vedic Academy
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
EugeneSaldivar
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
Ashokrao Mane college of Pharmacy Peth-Vadgaon
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
Celine George
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
kimdan468
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
Wasim Ak
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 

Recently uploaded (20)

Honest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptxHonest Reviews of Tim Han LMA Course Program.pptx
Honest Reviews of Tim Han LMA Course Program.pptx
 
Digital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and ResearchDigital Tools and AI for Teaching Learning and Research
Digital Tools and AI for Teaching Learning and Research
 
Digital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion DesignsDigital Artifact 2 - Investigating Pavilion Designs
Digital Artifact 2 - Investigating Pavilion Designs
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Best Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDABest Digital Marketing Institute In NOIDA
Best Digital Marketing Institute In NOIDA
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
Azure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHatAzure Interview Questions and Answers PDF By ScholarHat
Azure Interview Questions and Answers PDF By ScholarHat
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
 
The French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free downloadThe French Revolution Class 9 Study Material pdf free download
The French Revolution Class 9 Study Material pdf free download
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.Biological Screening of Herbal Drugs in detailed.
Biological Screening of Herbal Drugs in detailed.
 
Model Attribute Check Company Auto Property
Model Attribute Check Company Auto PropertyModel Attribute Check Company Auto Property
Model Attribute Check Company Auto Property
 
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBCSTRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
STRAND 3 HYGIENIC PRACTICES.pptx GRADE 7 CBC
 
Normal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of LabourNormal Labour/ Stages of Labour/ Mechanism of Labour
Normal Labour/ Stages of Labour/ Mechanism of Labour
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
 

RSA криптосистем

  • 1. The RSA Cryptosystem Dan Boneh Stanford University
  • 2. The RSA cryptosystem  First published: • Scientific American, Aug. 1977. (after some censorship entanglements)  Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, … Page 2
  • 3. The RSA trapdoor 1-to-1 function  Parameters: N=pq. N 1024 bits. p,q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1 .  1-to-1 function: RSA(M) = Me (mod N) where M ZN*  Trapdoor: d – decryption exponent. Where e d = 1 (mod (N) ) d (N)+1  Inversion: RSA(M) = Med = Mk = M (mod N)  (n,e,t, )-RSA Assumption: For any t-time alg. A: Pr[ A(N,e,x) = x ]< 1/e p,q R n-bit primes, (N) : N pq, x R ZN* Page 3
  • 4. Textbook RSA is insecure  Textbook RSA encryption: • public key: (N,e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M Z N* )  Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist.  The RSA trapdoor permutation is not a cryptosystem ! Page 4
  • 5. A simple attack on textbook RSA Rando CLIENT HELLO m session- Web SERVER HELLO (e,N) Web d key K Browser Server C=RSA(K)  Session-key K is 64 bits. View K {0,…,264} Eavesdropper sees: C = Ke (mod N) .  Suppose K = K1 K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1e = K2e (mod N)  Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2e is in table. time: 234 34  Attack time: 240 << 264 Page 5
  • 6. Common RSA encryption  Never use textbook RSA.  RSA in practice: Preprocessing RSA ciphertext msg  Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? Page 6
  • 7. PKCS1 V1.5  PKCS1 mode 2: (encryption) 16 bits 02 random pad FF msg 1024 bits  Resulting value is RSA encrypted.  Widely deployed in web servers and browsers.  No security analysis !! Page 7
  • 8. Attack on PKCS1  Bleichenbacher 98. Chosen-ciphertext attack.  PKCS1 used in SSL: C= ciphertext d C Is this PKCS1? Web Attacker Yes: continue Server 02 No: error attacker can test if 16 MSBs of plaintext = ’02’.  Attack: to decrypt a given ciphertext C do: e • Pick r ZN. Compute C’ = C = (r PKCS1(M)) . re • Send C’ to web server and use response. Page 8
  • 9. Chosen ciphertext security (CCS)  No efficient attacker can win the following game: (with non-negligible advantage) M0 , M1 C=E(Mb) b Decryption Challenger R Attacker oracle Challenge C b’ Attacker wins if b=b’ Page 9
  • 10. PKCS1 V2.0 - OAEP  New preprocessing function: OAEP (BR94). M 01 00..0 rand. + H Check pad on decryption. Reject CT if invalid. G + Plaintext to encrypt with RSA {0,1}n-1  Thm: RSA is trap-door permutation OAEP is CCS when H,G are “random oracles”.  In practice: use SHA-1 or MD5 for H and G. Page 10
  • 11. OAEP Improvements  OAEP+: (Shoup’01) M W(M,R) R trap-door permutation F + H F-OAEP+ is CCS when H,G,W are “random oracles”. G +  SAEP+: (B’01) M W(M,R) R RSA trap-door perm RSA-SAEP+ is CCS when + H H,W are “random oracle”. Page 11
  • 12. Subtleties in implementing OAEP [M ’00] OAEP-decrypt(C) { error = 0; if ( RSA-1(C) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1(RSA-1(C))) != “01000” ) } { error = 1; goto exit; }  Problem: timing information leaks type of error. Attacker can decrypt any ciphertext C.  Lesson: Don’t implement RSA-OAEP yourself … Page 12
  • 13. Part II: Is RSA a One-Way Function?
  • 14. Is RSA a one-way permutation?  To invert the RSA one-way function (without d) attacker must compute: M from C = Me (mod N).  How hard is computing e’th roots modulo N ??  Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy) Page 14
  • 15. Shortcuts?  Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring?  To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N efficient algorithm for factoring N. • Oldest problem in public key cryptography.  Evidence no reduction exists: (BV’98) • “Algebraic” reduction factoring is easy. • Unlike Diffie-Hellman (Maurer’94). Page 15
  • 16. Improving RSA’s performance  To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener87: if d < N0.25 then RSA is insecure. • BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 ) • Insecure: priv. key d can be found from (N,e). • Small d should never be used. Page 16
  • 17. Wiener’s attack  Recall: e d = 1 (mod (N) ) k Z : e d = k (N) + 1 e k 1 - (N) d d (N) (N) = N-p-q+1 |N- (N)| p+q 3 N e - k 1 d N0.25/3 N d 2d2 Continued fraction expansion of e/N gives k/d. e d = 1 (mod k) gcd(d,k)=1 Page 17
  • 18. RSA With Low public exponent  To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N)  Minimal value: e=3 ( gcd(e, (N) ) = 1)  Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies.  Several weak attacks. Non known on RSA-OAEP.  Asymmetry of RSA: fast enc. / slow dec. • ElGamal: approx. same time for both. Page 18
  • 19. Implementation attacks  Attack the implementation of RSA.  Timing attack: (Kocher 97) The time it takes to compute Cd (mod N) can expose d.  Power attack: (Kocher 99) The power consumption of a smartcard while it is computing Cd (mod N) can expose d.  Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. OpenSSL defense: check output. 5% slowdown. Page 19
  • 20. Key lengths Security of public key system should be comparable to security of block cipher. NIST: Cipher key-size Modulus size 64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES) 15360 bits  High security very large moduli. Not necessary with Elliptic Curve Cryptography. Page 20