applied cryptography - protocols, algorithms, and source code in c

# 5 rabin rabins scheme 12831601 gets its security from

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ilistic; what happens if p or q is composite? Well, first you can make the odds of that happening as small as you want. And if it does happen, the odds are that encryption and decryption won’t work properly—you’ll notice right away. There are a few numbers, called Carmichael numbers, which certain probabilistic primality algorithms will fail to detect. These are exceedingly rare, but they are insecure [746]. Honestly, I wouldn’t worry about it. Chosen Ciphertext Attack against RSA Some attacks work against the implementation of RSA. These are not attacks against the basic algorithm, but against the protocol. It’s important to realize that it’s not enough to use RSA. Details matter. Scenario 1: Eve, listening in on Alice’s communications, manages to collect a ciphertext message, c, encrypted with RSA in her public key. Eve wants to be able to read the message. Mathematically, she wants m, in which m = cd To recover m, she first chooses a random number, r, such that r is less than n. She gets Alice’s public key, e. Then she computes x = re mod n y = xc mod n t = r-1 mod n If x = re mod n, then r = xd mod n. Now, Eve gets Alice to sign y with her private key, thereby decrypting y. (Alice has to sign the message, not the hash of the message.) Remember, Alice has never seen y before. Alice sends Eve u = yd mod n Now, Eve computes tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m Eve now has m. Scenario 2: Trent is a computer notary public. If Alice wants a document notarized, she sends it to Trent. Trent signs it with an RSA digital signature and sends it back. (No one-way hash functions are used here; Trent encrypts the entire message with his private key.) Mallory wants Trent to sign a message he otherwise wouldn’t. Maybe it has a phony timestamp; maybe it purports to be from another person. Whatever the reason, Trent would never sign it if he had a choice. Let’s call this message m’. First, Mallory chooses an arbitrary value x and computes y = xe mod n. He can easily get e; it...
View Full Document

## This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online