Title: ChosenCiphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS
1Chosen-Ciphertext Attacks Against Protocols Based
on the RSA Encryption Standard PKCS
1(Public-Key Cryptography Standards)
Elizabeth Loza-Garay Christopher Thoma
Orosco Cynthia A Guozden Yonghua Li
2Overview
- Introduction
- PKCS 1 description
- Description of the algorithm
- Prevention techniques
- Experimental results
- Conclusion
3Objetive
- Introduces a new adaptive Chosen Ciphertext
Attack against protocols based on RSA
4RSA/PKCS 1 encryption
Bob
Alice
PK(npq,e)
SK(p,q,d ed1 mod j(n))
message m
padding m
M
C
e
d
decrypt M C (mod n)
CM (mod n)
remove padding M
m
??
5Situation analyzed in this talk
Bob
Alice
PK(npq,e)
SK(p,q,d ed1 mod j(n))
message m
padding m
M
C
d
decrypt M C (mod n)
CMe (mod n)
R
remove padding M R1 if padding correct R0 if
padding incorrect
m
Eve
6Chosen-ciphertext attack
Alice
Bob
PK(npq,e)
SK(p,q,d ed1 mod j(n))
C
Ask
d
e
Eve
CCS (mod n)
MCdmod n
R 0/1 (depending on correctness of padding of C)
Srnd int
MCd
M MS-1 mod n
7PKCS 1 (v.1.5) padding for encryption
RSA modulus npq of length k bytes i.e. 256
k-1lt n lt 256k
most significant byte
least significant byte
00
02
padding string
00
message
Data block
at least 8 bytes
k bytes
Length (n)
8PKCS 1 (Cont)
00
02
padding string
00
message
Data block
at least 8 bytes
0002PS00D EB100 EB202 EB3 through EB10
are nonzero At least one of the bytes EB11
through EBk is 00
9Observations
PKCS 1 (v.1.5) padding for encryption is correct
if
- 1st byte is 00
- 2nd byte is 02
- next 8 bytes different from 00
- at least one more 00 byte
- less significant bit on RSA encryption is as
secure as the whole message ? single bits per
ciphertext may be sufficient
10Chosen-Ciphertext Attacks
Adaptivechosen-ciphertexts ? previous
outcomes Theoretical weakness ? Practical (easy
to get information from the oracle reply) Attack
Server
Kind of error
11How the attack works Overview
Bob
d
Eve
MC ??
e
C CS (mod n)
i
i
R
If a message C is PKCS conforming then
i
2256k-2-1 lt MS lt 3256k-2
3 phases Blinding, slow phase and fast phase
12Blinding
- Yields a ciphertext c0 that corresponds to and
unknown message m0
Given an integer c, choose different random
integers si, then check, by sending them to the
Oracle, whether c(si)e mod n is PKCS conforming.
For the first successful value si, set
c0 ? c(si)e mod n
M0 ? 2B, 3B-1 // 2256k-2-1 lt M0 MS lt
3256k-2
i ? 1
13Slow phase
- The attacker tries to find small values of si for
which the ciphertext c0(si)e mod n is PKCS
conforming. For each successful value for si,
the attacker computes, using previous knowledge
about m0, a set of intervals that must contain m0.
14Slow Phase
If (i1) s1gt n/3B c0(si)e mod n PKCS
conforming else if ( igt 1 Mi-1 gt 2) // Mi gt
one interval search( sigt si -1
c0(si)e mod n PKCS conforming) else if (
Mi-1 a,b) // exactly one interval
while(!(c0(si)e mod n PKCS conforming))
choose(ri, si) rigt 2((b(si-1) - 2B)/n)
(2B (ri)n)/b lt silt (3B
(ri)n)/a
15Fast phase
- First two bytes of M0Si are correct with prob.
1/2. - A message is PKCS conforming with prob. gt 0.09.
- Each PKCS conforming message roughly cuts the
remaining interval in half.
16Fast Phase
After si has been found, the set Mi is computed
as
Mi ? a Mi b // contained in a sufficiently
small interval
/ search si si approx. 2si -1 and the two
sets overlap / For all a,b contained in Mi -1
and (a(si) - 3B 1/n) lt rlt(b(si) - 2B/n)
If (Mi a,a) m ? a(si) -1 mod n
return m // m is the solution to m cd mod n
i goTo slowPhase()
17Countermeasures
- Chance key pairs frequently
- Use different key pairs for different servers
- Check format of the message after decryption
18Countermeasures (cont.)
- Identical error message and same amount of time
- Have a data block for 1024 bits key
19Countermeasures (cont.)
- Add structure to data value D (e.g. hash function
on D) - PKCS1 v2 will support Optimal Asymmetric
Encryption Padding (OAEP)
20Countermeasures (cont.)
Data
Seed
Padding operation (introduces Redundancy)
Padded Data
Masking Function
XOR
Masked Data
Masking Function
XOR
Masked Data
Masked Seed
21Access to an Oracle
- Plain Encryption
- Detailed Error Messages
- Timing Attack
22Signing and Encrypting
Some protocols (e.g. SHTTP, S/MIME) sign and
encrypt messages.
Bob SKB PKB
Alice SKA PKA
m
sign
encrypt
C
decrypt
m
sig(m)
verify sig.
23Timing attacks
Decryption is sometimes done as follows 1.
Decrypt the ciphertext C 2. If the padding is
incorrect return an error. 3. Verify the
signature 4. If the signature is incorrect return
an error.
- Signature is verified only when padding of C is
OK. - An attacker might get the information about the
padding of C by measuring response times. - The message is authenticated after step 4, but
step 2 might leak information. - Such protocols should be used carefully in
client/server applications.
24SSL Block Format
00 02 padding string 00 03 00
premastersecret
46 bytes
25SSL Version 3.0
Client
Server
ltClient.hellogt
Random, Ciphersuites
ltServer.hellogt
Random, Ciphersuites, PK, Cert
chose PreMaster Secret (PMS)
ltClient Key Exchangegt
PMSPK
PMSPK
decrypt
error alert
if padding is incorrect
ltClient.finishedgt
compute master secret (MS)
hash(MS, ...)
compute (MS) verify hash(MS, ...)
ltServer.finishedgt
26SSL Version 3.0 (correction)
Client
Server
ltClient.hellogt
Random, Ciphersuites
ltServer.hellogt
Random, Ciphersuites, PK, Cert
chose PreMaster Secret (PMS)
ltClient Key Exchangegt
PMSPK
PMSPK
decrypt
ltClient.finishedgt
compute master secret (MS)
hash(MS, ...)
compute (MS) verify hash(MS, ...)
error alert
if padding or hash is incorrect
ltServer.finishedgt
27Conclusions
- Consider chosen-ciphertext attacks.
- Details (e.g. error messages) do matter.
- The phase between decryption and integrity check
of a message is critical. No information should
leak in that phase. - An integrity check should be close the decryption
step. (e.g. PKCS 1 v.2.0, SSL v.3.0 patch,
Cramer-Shoup cryptosyst
28Thank you
?