ChosenCiphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS

1
Chosen-Ciphertext Attacks Against Protocols Based
on the RSA Encryption Standard PKCS
1(Public-Key Cryptography Standards)

• Daniel Bleichenbacher

Elizabeth Loza-Garay Christopher Thoma
Orosco Cynthia A Guozden Yonghua Li
2
Overview

• Introduction
• PKCS 1 description
• Description of the algorithm
• Prevention techniques
• Experimental results
• Conclusion

3
Objetive

• Introduces a new adaptive Chosen Ciphertext
  Attack against protocols based on RSA

4
RSA/PKCS 1 encryption
Bob
Alice
PK(npq,e)
SK(p,q,d ed1 mod j(n))
message m
padding m
M
C
e
d
decrypt M C (mod n)
CM (mod n)
remove padding M
m
??
5
Situation analyzed in this talk
Bob
Alice
PK(npq,e)
SK(p,q,d ed1 mod j(n))
message m
padding m
M
C
d
decrypt M C (mod n)
CMe (mod n)
R
remove padding M R1 if padding correct R0 if
padding incorrect
m
Eve
6
Chosen-ciphertext attack
Alice
Bob
PK(npq,e)
SK(p,q,d ed1 mod j(n))
C
Ask
d
e
Eve
CCS (mod n)
MCdmod n
R 0/1 (depending on correctness of padding of C)
Srnd int
MCd
M MS-1 mod n
7
PKCS 1 (v.1.5) padding for encryption
RSA modulus npq of length k bytes i.e. 256
k-1lt n lt 256k
most significant byte
least significant byte
00
02
padding string
00
message
Data block
at least 8 bytes
k bytes
Length (n)
8
PKCS 1 (Cont)
00
02
padding string
00
message
Data block
at least 8 bytes
0002PS00D EB100 EB202 EB3 through EB10
are nonzero At least one of the bytes EB11
through EBk is 00
9
Observations
PKCS 1 (v.1.5) padding for encryption is correct
if

• 1st byte is 00
• 2nd byte is 02
• next 8 bytes different from 00
• at least one more 00 byte
• less significant bit on RSA encryption is as
  secure as the whole message ? single bits per
  ciphertext may be sufficient

10
Chosen-Ciphertext Attacks
Adaptivechosen-ciphertexts ? previous
outcomes Theoretical weakness ? Practical (easy
to get information from the oracle reply) Attack
Server
Kind of error
11
How the attack works Overview
Bob
d
Eve
MC ??
e
C CS (mod n)
i
i
R
If a message C is PKCS conforming then
i
2256k-2-1 lt MS lt 3256k-2
3 phases Blinding, slow phase and fast phase
12
Blinding

• Yields a ciphertext c0 that corresponds to and
  unknown message m0

Given an integer c, choose different random
integers si, then check, by sending them to the
Oracle, whether c(si)e mod n is PKCS conforming.
For the first successful value si, set
c0 ? c(si)e mod n
M0 ? 2B, 3B-1 // 2256k-2-1 lt M0 MS lt
3256k-2
i ? 1
13
Slow phase

• The attacker tries to find small values of si for
  which the ciphertext c0(si)e mod n is PKCS
  conforming. For each successful value for si,
  the attacker computes, using previous knowledge
  about m0, a set of intervals that must contain m0.

14
Slow Phase
If (i1) s1gt n/3B c0(si)e mod n PKCS
conforming else if ( igt 1 Mi-1 gt 2) // Mi gt
one interval search( sigt si -1
c0(si)e mod n PKCS conforming) else if (
Mi-1 a,b) // exactly one interval
while(!(c0(si)e mod n PKCS conforming))
choose(ri, si) rigt 2((b(si-1) - 2B)/n)
(2B (ri)n)/b lt silt (3B
(ri)n)/a
15
Fast phase

• First two bytes of M0Si are correct with prob.
  1/2.
• A message is PKCS conforming with prob. gt 0.09.
• Each PKCS conforming message roughly cuts the
  remaining interval in half.

16
Fast Phase
After si has been found, the set Mi is computed
as
Mi ? a Mi b // contained in a sufficiently
small interval
/ search si si approx. 2si -1 and the two
sets overlap / For all a,b contained in Mi -1
and (a(si) - 3B 1/n) lt rlt(b(si) - 2B/n)
If (Mi a,a) m ? a(si) -1 mod n
return m // m is the solution to m cd mod n
i goTo slowPhase()
17
Countermeasures

• Chance key pairs frequently
• Use different key pairs for different servers
• Check format of the message after decryption

18
Countermeasures (cont.)

• Identical error message and same amount of time
• Have a data block for 1024 bits key

19
Countermeasures (cont.)

• Add structure to data value D (e.g. hash function
  on D)
• PKCS1 v2 will support Optimal Asymmetric
  Encryption Padding (OAEP)

20
Countermeasures (cont.)
Data
Seed
Padding operation (introduces Redundancy)
Padded Data
Masking Function
XOR
Masked Data
Masking Function
XOR
Masked Data
Masked Seed
21
Access to an Oracle

• Plain Encryption
• Detailed Error Messages
• Timing Attack

22
Signing and Encrypting
Some protocols (e.g. SHTTP, S/MIME) sign and
encrypt messages.
Bob SKB PKB
Alice SKA PKA
m
sign
encrypt
C
decrypt
m
sig(m)
verify sig.
23
Timing attacks
Decryption is sometimes done as follows 1.
Decrypt the ciphertext C 2. If the padding is
incorrect return an error. 3. Verify the
signature 4. If the signature is incorrect return
an error.

• Signature is verified only when padding of C is
  OK.
• An attacker might get the information about the
  padding of C by measuring response times.
• The message is authenticated after step 4, but
  step 2 might leak information.
• Such protocols should be used carefully in
  client/server applications.

24
SSL Block Format
00 02 padding string 00 03 00
premastersecret
46 bytes
25
SSL Version 3.0
Client
Server
ltClient.hellogt
Random, Ciphersuites
ltServer.hellogt
Random, Ciphersuites, PK, Cert
chose PreMaster Secret (PMS)
ltClient Key Exchangegt
PMSPK
PMSPK
decrypt
error alert
if padding is incorrect
ltClient.finishedgt
compute master secret (MS)
hash(MS, ...)
compute (MS) verify hash(MS, ...)
ltServer.finishedgt
26
SSL Version 3.0 (correction)
Client
Server
ltClient.hellogt
Random, Ciphersuites
ltServer.hellogt
Random, Ciphersuites, PK, Cert
chose PreMaster Secret (PMS)
ltClient Key Exchangegt
PMSPK
PMSPK
decrypt
ltClient.finishedgt
compute master secret (MS)
hash(MS, ...)
compute (MS) verify hash(MS, ...)
error alert
if padding or hash is incorrect
ltServer.finishedgt
27
Conclusions

• Consider chosen-ciphertext attacks.
• Details (e.g. error messages) do matter.
• The phase between decryption and integrity check
  of a message is critical. No information should
  leak in that phase.
• An integrity check should be close the decryption
  step. (e.g. PKCS 1 v.2.0, SSL v.3.0 patch,
  Cramer-Shoup cryptosyst

28
Thank you
?