SlideShare a Scribd company logo

rsa.ppt

Download as PPT, PDF
P
PrasadM389394

RSA

Engineering
1 of 20
The RSA Cryptosystem
Page 2 The RSA cryptosystem  First published: • Scientific American, Aug. 1977. (after some censorship entanglements)  Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, …
Page 3 The RSA trapdoor 1-to-1 function  Parameters: N=pq. N 1024 bits. p,q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1 .  1-to-1 function: RSA(M) = Me (mod N) where MZN *  Trapdoor: d – decryption exponent. Where ed = 1 (mod (N) )  Inversion: RSA(M) d = Med = Mk(N)+1 = M (mod N)  (n,e,t,)-RSA Assumption: For any t-time alg. A: Pr[ A(N,e,x) = x 1/e (N) : ] <  p,q  n-bit primes, Npq, xZN * R R
Page 4 Textbook RSA is insecure  Textbook RSA encryption: • public key: (N,e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M  ZN * )  Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist.  The RSA trapdoor permutation is not a cryptosystem !
Page 5 A simple attack on textbook RSA  Session-key K is 64 bits. View K  {0,…,264} Eavesdropper sees: C = Ke (mod N) .  Suppose K = K1K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1 e = K2 e (mod N)  Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2 e is in table. time: 23434  Attack time: 240 << 264 Web Browser Web Server CLIENT HELLO SERVER HELLO (e,N) d C=RSA(K) Rando m session- key K
Page 6 Common RSA encryption  Never use textbook RSA.  RSA in practice:  Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? msg Preprocessing ciphertext RSA
Page 7 PKCS1 V1.5  PKCS1 mode 2: (encryption)  Resulting value is RSA encrypted.  Widely deployed in web servers and browsers.  No security analysis !! 02 random pad FF msg 1024 bits 16 bits
Page 8 Attack on PKCS1  Bleichenbacher 98. Chosen-ciphertext attack.  PKCS1 used in SSL:  attacker can test if 16 MSBs of plaintext = ’02’.  Attack: to decrypt a given ciphertext C do: • Pick r  ZN. Compute C’ = reC = (r  PKCS1(M)) e . • Send C’ to web server and use response. Attacker Web Server d Is this PKCS1? ciphertext C= C Yes: continue No: error 02
Page 9 Chosen ciphertext security (CCS)  No efficient attacker can win the following game: (with non-negligible advantage) Attacker Challenger M0, M1 b’{0,1} Attacker wins if b=b’ C=E(Mb) bR{0,1} Challenge Decryption oracle C
Page 10 PKCS1 V2.0 - OAEP  New preprocessing function: OAEP (BR94).  Thm: RSA is trap-door permutation  OAEP is CCS when H,G are “random oracles”.  In practice: use SHA-1 or MD5 for H and G. H + G + Plaintext to encrypt with RSA rand. M 01 00..0 Check pad on decryption. Reject CT if invalid. {0,1} n-1
Page 11 OAEP Improvements  OAEP+: (Shoup’01)  trap-door permutation F F-OAEP+ is CCS when H,G,W are “random oracles”.  SAEP+: (B’01) RSA trap-door perm  RSA-SAEP+ is CCS when H,W are “random oracle”. R H + G + M W(M,R) R H + M W(M,R)
Page 12 Subtleties in implementing OAEP [M ’00] OAEP-decrypt(C) { error = 0; if ( RSA-1 (C) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1 (RSA-1 (C))) != “01000” ) { error = 1; goto exit; } }  Problem: timing information leaks type of error.  Attacker can decrypt any ciphertext C.  Lesson: Don’t implement RSA-OAEP yourself …
Part II: Is RSA a One-Way Function?
Page 14 Is RSA a one-way permutation?  To invert the RSA one-way function (without d) attacker must compute: M from C = Me (mod N).  How hard is computing e’th roots modulo N ??  Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy)
Page 15 Shortcuts?  Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring?  To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N  efficient algorithm for factoring N. • Oldest problem in public key cryptography.  Evidence no reduction exists: (BV’98) • “Algebraic” reduction  factoring is easy. • Unlike Diffie-Hellman (Maurer’94).
Page 16 Improving RSA’s performance  To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener87: if d < N0.25 then RSA is insecure. • BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 ) • Insecure: priv. key d can be found from (N,e). • Small d should never be used.
Page 17 Wiener’s attack  Recall: ed = 1 (mod (N) )   kZ : ed = k(N) + 1  (N) = N-p-q+1  |N- (N)|  p+q  3N d  N0.25/3  Continued fraction expansion of e/N gives k/d. ed = 1 (mod k)  gcd(d,k)=1 e (N) k d -  1 d(N) e N k d -  1 2d2
Page 18 RSA With Low public exponent  To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N)  Minimal value: e=3 ( gcd(e, (N) ) = 1)  Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies.  Several weak attacks. Non known on RSA-OAEP.  Asymmetry of RSA: fast enc. / slow dec. • ElGamal: approx. same time for both.
Page 19 Implementation attacks  Attack the implementation of RSA.  Timing attack: (Kocher 97) The time it takes to compute C d (mod N) can expose d.  Power attack: (Kocher 99) The power consumption of a smartcard while it is computing C d (mod N) can expose d.  Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. OpenSSL defense: check output. 5% slowdown.
Page 20 Key lengths  Security of public key system should be comparable to security of block cipher. NIST: Cipher key-size Modulus size  64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES) 15360 bits  High security  very large moduli. Not necessary with Elliptic Curve Cryptography.

Recommended

RSA криптосистем
RSA криптосистемRSA криптосистем
RSA криптосистемsodhero
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7Infinity Tech Solutions
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
Common Crypto Pitfalls
Common Crypto PitfallsCommon Crypto Pitfalls
Common Crypto PitfallsAmirali Sanatinia
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 

Recommended

RSA криптосистем
RSA криптосистемRSA криптосистем
RSA криптосистемsodhero
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7Infinity Tech Solutions
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
Common Crypto Pitfalls
Common Crypto PitfallsCommon Crypto Pitfalls
Common Crypto PitfallsAmirali Sanatinia
 
Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...Public-Key Cryptography.pdfWrite the result of the following operation with t...
Public-Key Cryptography.pdfWrite the result of the following operation with t...FahmiOlayah
 
PKC&RSA
PKC&RSAPKC&RSA
PKC&RSAAnver S R
 
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxRivest Shamir Adleman Algorithm and its variant : DRSA.pptx
Rivest Shamir Adleman Algorithm and its variant : DRSA.pptxwerip98386
 
Presentation about RSA
Presentation about RSAPresentation about RSA
Presentation about RSASrilal Buddika
 
RSA
RSARSA
RSAbansidhar11
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted DataNew York Technology Council
 
Cloud computing and security 03
Cloud computing and security 03Cloud computing and security 03
Cloud computing and security 03Akash Kamble
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
Introduction to cryptography
Introduction to cryptographyIntroduction to cryptography
Introduction to cryptographySuresh Thammishetty
 
Rsa in CTF
Rsa in CTFRsa in CTF
Rsa in CTFSoL ymx
 
F010243136
F010243136F010243136
F010243136IOSR Journals
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioInformation Security Awareness Group
 
A comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemA comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemIAEME Publication
 
rsa-1
rsa-1rsa-1
rsa-1aniruddh Tyagi
 
rsa-1
rsa-1rsa-1
rsa-1aniruddh Tyagi
 
rsa-1
rsa-1rsa-1
rsa-1Aniruddh Tyagi
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
RSA Algorithm.ppt
RSA Algorithm.pptRSA Algorithm.ppt
RSA Algorithm.pptArchanaT30
 
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docx
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docxAbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docx
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docxransayo
 
Kleptography
KleptographyKleptography
KleptographyErfan Mallick
 
Ch9
Ch9Ch9
Ch9Mahender Kumar
 
Rsa
RsaRsa
Rsaismaelhaider
 
Unit --3.ppt
Unit --3.pptUnit --3.ppt
Unit --3.pptDHANABALSUBRAMANIAN
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 

More Related Content

Similar to rsa.ppt

Cloud computing and security 03
Cloud computing and security 03Cloud computing and security 03
Cloud computing and security 03Akash Kamble
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithmVaibhav Khanna
 
Rsa in CTF
Rsa in CTFRsa in CTF
Rsa in CTFSoL ymx
 
A comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemA comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemIAEME Publication
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Riscure
 
RSA Algorithm.ppt
RSA Algorithm.pptRSA Algorithm.ppt
RSA Algorithm.pptArchanaT30
 
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docx
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docxAbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docx
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docxransayo
 

Similar to rsa.ppt (20)

RSA
RSARSA
RSA
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted Data
 
Cloud computing and security 03
Cloud computing and security 03Cloud computing and security 03
Cloud computing and security 03
 
Information and network security 33 rsa algorithm
Information and network security 33 rsa algorithmInformation and network security 33 rsa algorithm
Information and network security 33 rsa algorithm
 
Introduction to cryptography
Introduction to cryptographyIntroduction to cryptography
Introduction to cryptography
 
Rsa in CTF
Rsa in CTFRsa in CTF
Rsa in CTF
 
F010243136
F010243136F010243136
F010243136
 
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan PalacioElliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
Elliptic curvecryptography Shane Almeida Saqib Awan Dan Palacio
 
A comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemA comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystem
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
rsa-1
rsa-1rsa-1
rsa-1
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?Why are we still vulnerable to Side Channel Attacks?
Why are we still vulnerable to Side Channel Attacks?
 
RSA Algorithm.ppt
RSA Algorithm.pptRSA Algorithm.ppt
RSA Algorithm.ppt
 
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docx
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docxAbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docx
AbstractRSA cryptosystem was first discovered in 1977 by Adi Shi.docx
 
Kleptography
KleptographyKleptography
Kleptography
 
Ch9
Ch9Ch9
Ch9
 
Rsa
RsaRsa
Rsa
 
Unit --3.ppt
Unit --3.pptUnit --3.ppt
Unit --3.ppt
 

Recently uploaded

Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGSIVASHANKAR N
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 

Recently uploaded (20)

Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 

rsa.ppt

  • 2. Page 2 The RSA cryptosystem  First published: • Scientific American, Aug. 1977. (after some censorship entanglements)  Currently the “work horse” of Internet security: • Most Public Key Infrastructure (PKI) products. • SSL/TLS: Certificates and key-exchange. • Secure e-mail: PGP, Outlook, …
  • 3. Page 3 The RSA trapdoor 1-to-1 function  Parameters: N=pq. N 1024 bits. p,q 512 bits. e – encryption exponent. gcd(e, (N) ) = 1 .  1-to-1 function: RSA(M) = Me (mod N) where MZN *  Trapdoor: d – decryption exponent. Where ed = 1 (mod (N) )  Inversion: RSA(M) d = Med = Mk(N)+1 = M (mod N)  (n,e,t,)-RSA Assumption: For any t-time alg. A: Pr[ A(N,e,x) = x 1/e (N) : ] <  p,q  n-bit primes, Npq, xZN * R R
  • 4. Page 4 Textbook RSA is insecure  Textbook RSA encryption: • public key: (N,e) Encrypt: C = Me (mod N) • private key: d Decrypt: Cd = M (mod N) (M  ZN * )  Completely insecure cryptosystem: • Does not satisfy basic definitions of security. • Many attacks exist.  The RSA trapdoor permutation is not a cryptosystem !
  • 5. Page 5 A simple attack on textbook RSA  Session-key K is 64 bits. View K  {0,…,264} Eavesdropper sees: C = Ke (mod N) .  Suppose K = K1K2 where K1, K2 < 234 . (prob. 20%) Then: C/K1 e = K2 e (mod N)  Build table: C/1e, C/2e, C/3e, …, C/234e . time: 234 For K2 = 0,…, 234 test if K2 e is in table. time: 23434  Attack time: 240 << 264 Web Browser Web Server CLIENT HELLO SERVER HELLO (e,N) d C=RSA(K) Rando m session- key K
  • 6. Page 6 Common RSA encryption  Never use textbook RSA.  RSA in practice:  Main question: • How should the preprocessing be done? • Can we argue about security of resulting system? msg Preprocessing ciphertext RSA
  • 7. Page 7 PKCS1 V1.5  PKCS1 mode 2: (encryption)  Resulting value is RSA encrypted.  Widely deployed in web servers and browsers.  No security analysis !! 02 random pad FF msg 1024 bits 16 bits
  • 8. Page 8 Attack on PKCS1  Bleichenbacher 98. Chosen-ciphertext attack.  PKCS1 used in SSL:  attacker can test if 16 MSBs of plaintext = ’02’.  Attack: to decrypt a given ciphertext C do: • Pick r  ZN. Compute C’ = reC = (r  PKCS1(M)) e . • Send C’ to web server and use response. Attacker Web Server d Is this PKCS1? ciphertext C= C Yes: continue No: error 02
  • 9. Page 9 Chosen ciphertext security (CCS)  No efficient attacker can win the following game: (with non-negligible advantage) Attacker Challenger M0, M1 b’{0,1} Attacker wins if b=b’ C=E(Mb) bR{0,1} Challenge Decryption oracle C
  • 10. Page 10 PKCS1 V2.0 - OAEP  New preprocessing function: OAEP (BR94).  Thm: RSA is trap-door permutation  OAEP is CCS when H,G are “random oracles”.  In practice: use SHA-1 or MD5 for H and G. H + G + Plaintext to encrypt with RSA rand. M 01 00..0 Check pad on decryption. Reject CT if invalid. {0,1} n-1
  • 11. Page 11 OAEP Improvements  OAEP+: (Shoup’01)  trap-door permutation F F-OAEP+ is CCS when H,G,W are “random oracles”.  SAEP+: (B’01) RSA trap-door perm  RSA-SAEP+ is CCS when H,W are “random oracle”. R H + G + M W(M,R) R H + M W(M,R)
  • 12. Page 12 Subtleties in implementing OAEP [M ’00] OAEP-decrypt(C) { error = 0; if ( RSA-1 (C) > 2n-1 ) { error =1; goto exit; } if ( pad(OAEP-1 (RSA-1 (C))) != “01000” ) { error = 1; goto exit; } }  Problem: timing information leaks type of error.  Attacker can decrypt any ciphertext C.  Lesson: Don’t implement RSA-OAEP yourself …
  • 13. Part II: Is RSA a One-Way Function?
  • 14. Page 14 Is RSA a one-way permutation?  To invert the RSA one-way function (without d) attacker must compute: M from C = Me (mod N).  How hard is computing e’th roots modulo N ??  Best known algorithm: • Step 1: factor N. (hard) • Step 2: Find e’th roots modulo p and q. (easy)
  • 15. Page 15 Shortcuts?  Must one factor N in order to compute e’th roots? Exists shortcut for breaking RSA without factoring?  To prove no shortcut exists show a reduction: • Efficient algorithm for e’th roots mod N  efficient algorithm for factoring N. • Oldest problem in public key cryptography.  Evidence no reduction exists: (BV’98) • “Algebraic” reduction  factoring is easy. • Unlike Diffie-Hellman (Maurer’94).
  • 16. Page 16 Improving RSA’s performance  To speed up RSA decryption use small private key d. Cd = M (mod N) • Wiener87: if d < N0.25 then RSA is insecure. • BD’98: if d < N0.292 then RSA is insecure (open: d < N0.5 ) • Insecure: priv. key d can be found from (N,e). • Small d should never be used.
  • 17. Page 17 Wiener’s attack  Recall: ed = 1 (mod (N) )   kZ : ed = k(N) + 1  (N) = N-p-q+1  |N- (N)|  p+q  3N d  N0.25/3  Continued fraction expansion of e/N gives k/d. ed = 1 (mod k)  gcd(d,k)=1 e (N) k d -  1 d(N) e N k d -  1 2d2
  • 18. Page 18 RSA With Low public exponent  To speed up RSA encryption (and sig. verify) use a small e. C = Me (mod N)  Minimal value: e=3 ( gcd(e, (N) ) = 1)  Recommended value: e=65537=216+1 Encryption: 17 mod. multiplies.  Several weak attacks. Non known on RSA-OAEP.  Asymmetry of RSA: fast enc. / slow dec. • ElGamal: approx. same time for both.
  • 19. Page 19 Implementation attacks  Attack the implementation of RSA.  Timing attack: (Kocher 97) The time it takes to compute C d (mod N) can expose d.  Power attack: (Kocher 99) The power consumption of a smartcard while it is computing C d (mod N) can expose d.  Faults attack: (BDL 97) A computer error during Cd (mod N) can expose d. OpenSSL defense: check output. 5% slowdown.
  • 20. Page 20 Key lengths  Security of public key system should be comparable to security of block cipher. NIST: Cipher key-size Modulus size  64 bits 512 bits. 80 bits 1024 bits 128 bits 3072 bits. 256 bits (AES) 15360 bits  High security  very large moduli. Not necessary with Elliptic Curve Cryptography.